Change in osmo-msc[master]: a_iface_bssap: check bssamp length field

dexter gerrit-no-reply at lists.osmocom.org
Mon Mar 18 17:16:59 UTC 2019


dexter has uploaded this change for review. ( https://gerrit.osmocom.org/13307


Change subject: a_iface_bssap: check bssamp length field
......................................................................

a_iface_bssap: check bssamp length field

At the moment the length field of the bssmap header is not parsed.
Instead the length is computed out of the known header length and the
number of bytes received. This is prone to error, lets make sure that
extranous data at the end of a message is ignored by parsing the bssmap
length correctly.

Change-Id: I3b89dd5a66ec83b03860b58b6b8eb58007f433a4
Related: OS#3806
---
M src/libmsc/a_iface_bssap.c
1 file changed, 28 insertions(+), 0 deletions(-)



  git pull ssh://gerrit.osmocom.org:29418/osmo-msc refs/changes/07/13307/1

diff --git a/src/libmsc/a_iface_bssap.c b/src/libmsc/a_iface_bssap.c
index cb245b8..d0594bf 100644
--- a/src/libmsc/a_iface_bssap.c
+++ b/src/libmsc/a_iface_bssap.c
@@ -703,6 +703,33 @@
 	return 0;
 }
 
+/* Extract and verify the length information from the BSSMAP header. */
+void bssmap_msg_verify_len(struct msgb *msg)
+{
+	unsigned int expected_len;
+	unsigned int calculated_len;
+	struct bssmap_header *bssmap_header;
+
+	bssmap_header = (struct bssmap_header *)msg->l2h;
+
+	calculated_len = msgb_l3len(msg);
+	expected_len = bssmap_header->length;
+
+	/* In case of contradictory length information, decide for the
+	 * shorter length */
+	if (calculated_len > expected_len) {
+		LOGP(DBSSAP, LOGL_NOTICE,
+		     "BSSMAP message contains extranous data, expected %u bytes, got %u bytes, truncated\n",
+		     expected_len, calculated_len);
+		msgb_l3trim(msg, expected_len);
+	} else if (calculated_len < expected_len) {
+		LOGP(DMSC, LOGL_NOTICE,
+		     "Short BSSMAP message, expected %u bytes, got %u bytes\n",
+		     expected_len, calculated_len);
+		msgb_l3trim(msg, calculated_len);
+	}
+}
+
 /* Handle incoming connection oriented messages. No ownership of 'msg' is passed on! */
 int a_sccp_rx_dt(struct osmo_sccp_user *scu, const struct a_conn_info *a_conn_info, struct msgb *msg)
 {
@@ -718,6 +745,7 @@
 	switch (msg->l2h[0]) {
 	case BSSAP_MSG_BSS_MANAGEMENT:
 		msg->l3h = &msg->l2h[sizeof(struct bssmap_header)];
+		bssmap_msg_verify_len(msg);
 		return rx_bssmap(scu, a_conn_info, msg);
 	case BSSAP_MSG_DTAP:
 		return rx_dtap(scu, a_conn_info, msg);

-- 
To view, visit https://gerrit.osmocom.org/13307
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: osmo-msc
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: I3b89dd5a66ec83b03860b58b6b8eb58007f433a4
Gerrit-Change-Number: 13307
Gerrit-PatchSet: 1
Gerrit-Owner: dexter <pmaier at sysmocom.de>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20190318/a0693891/attachment.html>


More information about the gerrit-log mailing list