<p>Harald Welte <strong>merged</strong> this change.</p><p><a href="https://gerrit.osmocom.org/12873">View Change</a></p><div style="white-space:pre-wrap">Approvals:
  Pau Espin Pedrol: Looks good to me, but someone else must approve
  Harald Welte: Looks good to me, approved
  Jenkins Builder: Verified

</div><pre style="font-family: monospace,monospace; white-space: pre-wrap;">OML: Properly reject short messages and truncate over-long messages<br><br>For OML, what matters is the length indicated in the OML message header.<br><br>If we don't have sufficient bytes, reject the message and send a failure<br>event report.<br><br>If we have more bytes, truncate the message at the number of bytes<br>indicated in the OML length header.<br><br>Change-Id: Ib98f0d7c2cff9172714ed18667c02564540d65d7<br>---<br>M src/common/oml.c<br>1 file changed, 23 insertions(+), 0 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/src/common/oml.c b/src/common/oml.c</span><br><span>index d389e29..8bc31f8 100644</span><br><span>--- a/src/common/oml.c</span><br><span>+++ b/src/common/oml.c</span><br><span>@@ -1087,6 +1087,7 @@</span><br><span> </span><br><span> static int down_fom(struct gsm_bts *bts, struct msgb *msg)</span><br><span> {</span><br><span style="color: hsl(120, 100%, 40%);">+     struct abis_om_hdr *oh = msgb_l2(msg);</span><br><span>       struct abis_om_fom_hdr *foh = msgb_l3(msg);</span><br><span>  struct gsm_bts_trx *trx;</span><br><span>     const struct gsm_abis_mo *mo = &bts->mo;</span><br><span>@@ -1100,6 +1101,13 @@</span><br><span>             return -EIO;</span><br><span>         }</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+ if (msgb_l3len(msg) > oh->length) {</span><br><span style="color: hsl(120, 100%, 40%);">+             LOGP(DOML, LOGL_NOTICE, "OML message with %u extraneous bytes at end: %s\n",</span><br><span style="color: hsl(120, 100%, 40%);">+                        msgb_l3len(msg) - oh->length, msgb_hexdump(msg));</span><br><span style="color: hsl(120, 100%, 40%);">+          /* remove extra bytes at end */</span><br><span style="color: hsl(120, 100%, 40%);">+               msgb_l3trim(msg, oh->length);</span><br><span style="color: hsl(120, 100%, 40%);">+      }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span>  if (report_bts_number_incorrect(bts, foh, true))</span><br><span>             return oml_fom_ack_nack(msg, NM_NACK_BTSNR_UNKN);</span><br><span> </span><br><span>@@ -1383,6 +1391,13 @@</span><br><span>               return -EINVAL;</span><br><span>      }</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+ if (msgb_l3len(msg) > oh->length + 1 + oh->data[0]) {</span><br><span style="color: hsl(120, 100%, 40%);">+                LOGP(DOML, LOGL_NOTICE, "OML message with %u extraneous bytes at end: %s\n",</span><br><span style="color: hsl(120, 100%, 40%);">+                        msgb_l3len(msg) - oh->length, msgb_hexdump(msg));</span><br><span style="color: hsl(120, 100%, 40%);">+          /* remove extra bytes at end */</span><br><span style="color: hsl(120, 100%, 40%);">+               msgb_l3trim(msg, oh->length);</span><br><span style="color: hsl(120, 100%, 40%);">+      }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span>  msg->l3h = oh->data + 1 + idstrlen;</span><br><span>    foh = (struct abis_om_fom_hdr *) msg->l3h;</span><br><span> </span><br><span>@@ -1440,6 +1455,14 @@</span><br><span>           return -EIO;</span><br><span>         }</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+ if (msgb_l3len(msg) < oh->length) {</span><br><span style="color: hsl(120, 100%, 40%);">+             oml_tx_failure_event_rep(&bts->mo, OSMO_EVT_MAJ_UKWN_MSG,</span><br><span style="color: hsl(120, 100%, 40%);">+                                       "Short OML message: %u < %u\n",</span><br><span style="color: hsl(120, 100%, 40%);">+                                  msgb_l3len(msg), oh->length);</span><br><span style="color: hsl(120, 100%, 40%);">+             msgb_free(msg);</span><br><span style="color: hsl(120, 100%, 40%);">+               return -EIO;</span><br><span style="color: hsl(120, 100%, 40%);">+  }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span>  switch (oh->mdisc) {</span><br><span>      case ABIS_OM_MDISC_FOM:</span><br><span>              if (msgb_l2len(msg) < sizeof(*oh)) {</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.osmocom.org/12873">change 12873</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.osmocom.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.osmocom.org/12873"/><meta itemprop="name" content="View Change"/></div></div>

<div style="display:none"> Gerrit-Project: osmo-bts </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-MessageType: merged </div>
<div style="display:none"> Gerrit-Change-Id: Ib98f0d7c2cff9172714ed18667c02564540d65d7 </div>
<div style="display:none"> Gerrit-Change-Number: 12873 </div>
<div style="display:none"> Gerrit-PatchSet: 3 </div>
<div style="display:none"> Gerrit-Owner: Harald Welte <laforge@gnumonks.org> </div>
<div style="display:none"> Gerrit-Reviewer: Harald Welte <laforge@gnumonks.org> </div>
<div style="display:none"> Gerrit-Reviewer: Jenkins Builder (1000002) </div>
<div style="display:none"> Gerrit-Reviewer: Max <msuraev@sysmocom.de> </div>
<div style="display:none"> Gerrit-Reviewer: Pau Espin Pedrol <pespin@sysmocom.de> </div>