[PATCH] osmo-msc[master]: libmsc: bssap: Catch TLV parse failures

[Pau Espin Pedrol]

Review at  https://gerrit.osmocom.org/6448

libmsc: bssap: Catch TLV parse failures

Change-Id: I6aef9a94fa5b2e0b62a9c1744b8e18e5985f788f
---
M src/libmsc/a_iface_bssap.c
1 file changed, 49 insertions(+), 9 deletions(-)


  git pull ssh://gerrit.osmocom.org:29418/osmo-msc refs/changes/48/6448/1

diff --git a/src/libmsc/a_iface_bssap.c b/src/libmsc/a_iface_bssap.c
index 0946a5d..e0cbf03 100644
--- a/src/libmsc/a_iface_bssap.c
+++ b/src/libmsc/a_iface_bssap.c
@@ -224,6 +224,10 @@
 	LOGPCONN(conn, LOGL_INFO, "Rx BSSMAP CLEAR REQUEST\n");
 
 	tlv_parse(&tp, gsm0808_att_tlvdef(), msg->l3h + 1, msgb_l3len(msg) - 1, 0, 0);
+	if (rc < 0) {
+		LOGP(DBSSAP, LOGL_ERROR, "Failed parsing TLV -- discarding message!\n");
+		return -EINVAL;
+	}
 	if (!TLVP_PRESENT(&tp, GSM0808_IE_CAUSE)) {
 		LOGP(DBSSAP, LOGL_ERROR, "Cause code is missing -- discarding message!\n");
 		return -EINVAL;
@@ -276,7 +280,11 @@
 
 	LOGP(DBSSAP, LOGL_INFO, "Rx BSSMAP COMPLETE L3 INFO (conn_id=%i)\n", a_conn_info->conn_id);
 
-	tlv_parse(&tp, gsm0808_att_tlvdef(), msg->l3h + 1, msgb_l3len(msg) - 1, 0, 0);
+	rc = tlv_parse(&tp, gsm0808_att_tlvdef(), msg->l3h + 1, msgb_l3len(msg) - 1, 0, 0);
+	if (rc < 0) {
+		LOGP(DBSSAP, LOGL_ERROR, "Failed parsing TLV -- discarding message!\n");
+		return -EINVAL;
+	}
 	if (!TLVP_PRESENT(&tp, GSM0808_IE_CELL_IDENTIFIER)) {
 		LOGP(DBSSAP, LOGL_ERROR, "Mandatory CELL IDENTIFIER not present -- discarding message!\n");
 		return -EINVAL;
@@ -339,10 +347,15 @@
 	const uint8_t *cm3 = NULL;
 	uint8_t cm2_len = 0;
 	uint8_t cm3_len = 0;
+	int rc;
 
 	LOGPCONN(conn, LOGL_DEBUG, "Rx BSSMAP CLASSMARK UPDATE\n");
 
-	tlv_parse(&tp, gsm0808_att_tlvdef(), msg->l3h + 1, msgb_l3len(msg) - 1, 0, 0);
+	rc = tlv_parse(&tp, gsm0808_att_tlvdef(), msg->l3h + 1, msgb_l3len(msg) - 1, 0, 0);
+	if (rc < 0) {
+		LOGP(DBSSAP, LOGL_ERROR, "Failed parsing TLV -- discarding message!\n");
+		return -EINVAL;
+	}
 	if (!TLVP_PRESENT(&tp, GSM0808_IE_CLASSMARK_INFORMATION_T2)) {
 		LOGPCONN(conn, LOGL_ERROR, "Mandatory Classmark Information Type 2 not present -- discarding message!\n");
 		return -EINVAL;
@@ -374,10 +387,15 @@
 
 	struct tlv_parsed tp;
 	uint8_t alg_id = 1;
+	int rc;
 
 	LOGPCONN(conn, LOGL_DEBUG, "Rx BSSMAP CIPHER MODE COMPLETE\n");
 
-	tlv_parse(&tp, gsm0808_att_tlvdef(), msg->l3h + 1, msgb_l3len(msg) - 1, 0, 0);
+	rc = tlv_parse(&tp, gsm0808_att_tlvdef(), msg->l3h + 1, msgb_l3len(msg) - 1, 0, 0);
+	if (rc < 0) {
+		LOGP(DBSSAP, LOGL_ERROR, "Failed parsing TLV -- discarding message!\n");
+		return -EINVAL;
+	}
 
 	if (TLVP_PRESENT(&tp, GSM0808_IE_CHOSEN_ENCR_ALG)) {
 		alg_id = TLVP_VAL(&tp, GSM0808_IE_CHOSEN_ENCR_ALG)[0] - 1;
@@ -401,10 +419,15 @@
 {
 	struct tlv_parsed tp;
 	uint8_t cause;
+	int rc;
 
 	LOGPCONN(conn, LOGL_NOTICE, "RX BSSMAP CIPHER MODE REJECT\n");
 
-	tlv_parse(&tp, gsm0808_att_tlvdef(), msg->l3h + 1, msgb_l3len(msg) - 1, 0, 0);
+	rc = tlv_parse(&tp, gsm0808_att_tlvdef(), msg->l3h + 1, msgb_l3len(msg) - 1, 0, 0);
+	if (rc < 0) {
+		LOGP(DBSSAP, LOGL_ERROR, "Failed parsing TLV -- discarding message!\n");
+		return -EINVAL;
+	}
 	if (!TLVP_PRESENT(&tp, BSS_MAP_MSG_CIPHER_MODE_REJECT)) {
 		LOGPCONN(conn, LOGL_ERROR, "Cause code is missing -- discarding message!\n");
 		return -EINVAL;
@@ -426,10 +449,15 @@
 	uint8_t cause;
 	uint8_t *rr_cause_ptr = NULL;
 	uint8_t rr_cause;
+	int rc;
 
 	LOGPCONN(conn, LOGL_NOTICE, "Rx BSSMAP ASSIGNMENT FAILURE message\n");
 
-	tlv_parse(&tp, gsm0808_att_tlvdef(), msg->l3h + 1, msgb_l3len(msg) - 1, 0, 0);
+	rc = tlv_parse(&tp, gsm0808_att_tlvdef(), msg->l3h + 1, msgb_l3len(msg) - 1, 0, 0);
+	if (rc < 0) {
+		LOGP(DBSSAP, LOGL_ERROR, "Failed parsing TLV -- discarding message!\n");
+		return -EINVAL;
+	}
 	if (!TLVP_PRESENT(&tp, GSM0808_IE_CAUSE)) {
 		LOGPCONN(conn, LOGL_ERROR, "Cause code is missing -- discarding message!\n");
 		return -EINVAL;
@@ -458,19 +486,28 @@
 {
 	struct tlv_parsed tp;
 	uint8_t dlci;
+	int rc;
 
 	LOGPCONN(conn, LOGL_NOTICE, "Rx BSSMAP SAPI-N-REJECT message\n");
 
 	/* Note: The MSC code seems not to care about the cause code, but by
 	 * the specification it is mandatory, so we check its presence. See
 	 * also 3GPP TS 48.008 3.2.1.34 SAPI "n" REJECT */
-	tlv_parse(&tp, gsm0808_att_tlvdef(), msg->l3h + 1, msgb_l3len(msg) - 1, 0, 0);
+	rc = tlv_parse(&tp, gsm0808_att_tlvdef(), msg->l3h + 1, msgb_l3len(msg) - 1, 0, 0);
+	if (rc < 0) {
+		LOGP(DBSSAP, LOGL_ERROR, "Failed parsing TLV -- discarding message!\n");
+		return -EINVAL;
+	}
 	if (!TLVP_PRESENT(&tp, GSM0808_IE_CAUSE)) {
 		LOGPCONN(conn, LOGL_ERROR, "Cause code is missing -- discarding message!\n");
 		return -EINVAL;
 	}
 
-	tlv_parse(&tp, gsm0808_att_tlvdef(), msg->l3h + 1, msgb_l3len(msg) - 1, 0, 0);
+	rc = tlv_parse(&tp, gsm0808_att_tlvdef(), msg->l3h + 1, msgb_l3len(msg) - 1, 0, 0);
+	if (rc < 0) {
+		LOGP(DBSSAP, LOGL_ERROR, "Failed parsing TLV -- discarding message!\n");
+		return -EINVAL;
+	}
 	if (!TLVP_PRESENT(&tp, GSM0808_IE_DLCI)) {
 		LOGPCONN(conn, LOGL_ERROR, "DLCI is missing -- discarding message!\n");
 		return -EINVAL;
@@ -497,8 +534,11 @@
 
 	LOGPCONN(conn, LOGL_INFO, "Rx BSSMAP ASSIGNMENT COMPLETE message\n");
 
-	tlv_parse(&tp, gsm0808_att_tlvdef(), msg->l3h + 1, msgb_l3len(msg) - 1, 0, 0);
-
+	rc = tlv_parse(&tp, gsm0808_att_tlvdef(), msg->l3h + 1, msgb_l3len(msg) - 1, 0, 0);
+	if (rc < 0) {
+		LOGP(DBSSAP, LOGL_ERROR, "Failed parsing TLV -- discarding message!\n");
+		return -EINVAL;
+	}
 	if (!TLVP_PRESENT(&tp, GSM0808_IE_AOIP_TRASP_ADDR)) {
 		LOGPCONN(conn, LOGL_ERROR, "AoIP transport identifier missing -- discarding message!\n");
 		return -EINVAL;

-- 
To view, visit https://gerrit.osmocom.org/6448
To unsubscribe, visit https://gerrit.osmocom.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I6aef9a94fa5b2e0b62a9c1744b8e18e5985f788f
Gerrit-PatchSet: 1
Gerrit-Project: osmo-msc
Gerrit-Branch: master
Gerrit-Owner: Pau Espin Pedrol <pespin at sysmocom.de>