fixeria has uploaded this change for review. ( https://gerrit.osmocom.org/c/osmo-bsc/+/27620 )
Change subject: abis_rsl: always check return value of rsl_tlv_parse() ......................................................................
abis_rsl: always check return value of rsl_tlv_parse()
Change-Id: Id022628934e7d51ce66cb255baa88f24bf5c918a Related: SYS#5905 --- M src/osmo-bsc/abis_rsl.c 1 file changed, 61 insertions(+), 14 deletions(-)
git pull ssh://gerrit.osmocom.org:29418/osmo-bsc refs/changes/20/27620/1
diff --git a/src/osmo-bsc/abis_rsl.c b/src/osmo-bsc/abis_rsl.c index 6681875..8730954 100644 --- a/src/osmo-bsc/abis_rsl.c +++ b/src/osmo-bsc/abis_rsl.c @@ -1221,7 +1221,12 @@ return -EINVAL; }
- rsl_tlv_parse(&tp, dh->data, msgb_l2len(msg)-sizeof(*dh)); + if (rsl_tlv_parse(&tp, dh->data, msgb_l2len(msg) - sizeof(*dh)) < 0) { + LOG_LCHAN(msg->lchan, LOGL_ERROR, "Failed to parse RSL %s\n", + rsl_or_ipac_msg_name(dh->c.msg_type)); + return -EINVAL; + } + cause_p = rsl_cause(&tp); LOG_LCHAN(lchan, LOGL_ERROR, "CHANNEL ACTIVATE NACK%s\n", rsl_cause_name(&tp));
@@ -1241,7 +1246,12 @@ struct tlv_parsed tp; const uint8_t *cause_p;
- rsl_tlv_parse(&tp, dh->data, msgb_l2len(msg)-sizeof(*dh)); + if (rsl_tlv_parse(&tp, dh->data, msgb_l2len(msg) - sizeof(*dh)) < 0) { + LOG_LCHAN(msg->lchan, LOGL_ERROR, "Failed to parse RSL %s\n", + rsl_or_ipac_msg_name(dh->c.msg_type)); + return -EINVAL; + } + cause_p = rsl_cause(&tp);
LOG_LCHAN(lchan, LOGL_ERROR, "CONNECTION FAIL%s\n", rsl_cause_name(&tp)); @@ -1385,7 +1395,11 @@ memset(mr, 0, sizeof(*mr)); mr->lchan = msg->lchan;
- rsl_tlv_parse(&tp, dh->data, msgb_l2len(msg)-sizeof(*dh)); + if (rsl_tlv_parse(&tp, dh->data, msgb_l2len(msg) - sizeof(*dh)) < 0) { + LOG_LCHAN(msg->lchan, LOGL_ERROR, "Failed to parse RSL %s\n", + rsl_or_ipac_msg_name(dh->c.msg_type)); + return -EINVAL; + }
if (!TLVP_PRESENT(&tp, RSL_IE_MEAS_RES_NR) || !TLVP_PRESENT(&tp, RSL_IE_UPLINK_MEAS) || @@ -1466,7 +1480,11 @@ .msg = msg, };
- rsl_tlv_parse(&tp, dh->data, msgb_l2len(msg)-sizeof(*dh)); + if (rsl_tlv_parse(&tp, dh->data, msgb_l2len(msg) - sizeof(*dh)) < 0) { + LOG_LCHAN(msg->lchan, LOGL_ERROR, "Failed to parse RSL %s\n", + rsl_or_ipac_msg_name(dh->c.msg_type)); + return -EINVAL; + }
if (TLVP_PRESENT(&tp, RSL_IE_ACCESS_DELAY)) d.access_delay = TLVP_VAL(&tp, RSL_IE_ACCESS_DELAY); @@ -1602,7 +1620,11 @@ struct tlv_parsed tp; struct e1inp_sign_link *sign_link = msg->dst;
- rsl_tlv_parse(&tp, rslh->data, msgb_l2len(msg)-sizeof(*rslh)); + if (rsl_tlv_parse(&tp, rslh->data, msgb_l2len(msg) - sizeof(*rslh)) < 0) { + LOGP(DRSL, LOGL_ERROR, "%s Failed to parse RSL %s\n", + gsm_trx_name(sign_link->trx), rsl_or_ipac_msg_name(rslh->msg_type)); + return -EINVAL; + }
LOGP(DRSL, LOGL_ERROR, "%s ERROR REPORT%s\n", gsm_trx_name(sign_link->trx), rsl_cause_name(&tp)); @@ -1619,7 +1641,7 @@ struct gsm_bts_trx *trx = sign_link->trx; struct gsm_lchan *lchan; int ts_nr; - int rc, i; + int i;
LOGP(DRSL, LOGL_DEBUG, "%s Rx Resource Indication\n", gsm_trx_name(trx));
@@ -1633,9 +1655,9 @@ } }
- rc = rsl_tlv_parse(&tp, rslh->data, msgb_l2len(msg) - sizeof(*rslh)); - if (rc < 0) { - LOGP(DRSL, LOGL_ERROR, "Rx Resource Indication: failed to parse the message\n"); + if (rsl_tlv_parse(&tp, rslh->data, msgb_l2len(msg) - sizeof(*rslh)) < 0) { + LOGP(DRSL, LOGL_ERROR, "%s Failed to parse RSL %s\n", + gsm_trx_name(trx), rsl_or_ipac_msg_name(rslh->msg_type)); return -EINVAL; }
@@ -2355,7 +2377,12 @@ struct tlv_parsed tp; uint8_t slot_count;
- rsl_tlv_parse(&tp, rslh->data, msgb_l2len(msg) - sizeof(*rslh)); + if (rsl_tlv_parse(&tp, rslh->data, msgb_l2len(msg) - sizeof(*rslh)) < 0) { + LOGP(DRSL, LOGL_ERROR, "%s Failed to parse RSL %s\n", + gsm_trx_name(sign_link->trx), rsl_or_ipac_msg_name(rslh->c.msg_type)); + return -EINVAL; + } + if (!TLVP_PRESENT(&tp, RSL_IE_CBCH_LOAD_INFO)) { LOG_BTS(bts, DRSL, LOGL_ERROR, "CBCH LOAD IND without mandatory CBCH Load Info IE\n"); return -1; @@ -2443,7 +2470,12 @@ struct abis_rsl_rll_hdr *rllh = msgb_l2(msg); uint8_t rlm_cause;
- rsl_tlv_parse(&tp, rllh->data, msgb_l2len(msg) - sizeof(*rllh)); + if (rsl_tlv_parse(&tp, rllh->data, msgb_l2len(msg) - sizeof(*rllh)) < 0) { + LOG_LCHAN(msg->lchan, LOGL_ERROR, "Failed to parse RSL %s\n", + rsl_or_ipac_msg_name(rllh->c.msg_type)); + return -EINVAL; + } + if (!TLVP_PRESENT(&tp, RSL_IE_RLM_CAUSE)) { LOG_LCHAN(msg->lchan, LOGL_ERROR, "ERROR INDICATION without mandantory cause.\n"); return -1; @@ -2809,7 +2841,12 @@ * address and port number to which it has bound the given logical * channel */
- rsl_tlv_parse(&tv, dh->data, msgb_l2len(msg)-sizeof(*dh)); + if (rsl_tlv_parse(&tv, dh->data, msgb_l2len(msg) - sizeof(*dh)) < 0) { + LOG_LCHAN(msg->lchan, LOGL_ERROR, "Failed to parse RSL %s\n", + rsl_or_ipac_msg_name(dh->c.msg_type)); + return -EINVAL; + } + if (!TLVP_PRESENT(&tv, RSL_IE_IPAC_LOCAL_PORT) || !TLVP_PRESENT(&tv, RSL_IE_IPAC_LOCAL_IP) || !TLVP_PRESENT(&tv, RSL_IE_IPAC_CONN_ID)) { @@ -2854,7 +2891,12 @@ * it now tells us the IP address and port number to which it has * connected the given logical channel */
- rsl_tlv_parse(&tv, dh->data, msgb_l2len(msg)-sizeof(*dh)); + if (rsl_tlv_parse(&tv, dh->data, msgb_l2len(msg) - sizeof(*dh)) < 0) { + LOG_LCHAN(msg->lchan, LOGL_ERROR, "Failed to parse RSL %s\n", + rsl_or_ipac_msg_name(dh->c.msg_type)); + return -EINVAL; + } + ipac_parse_rtp(lchan, &tv, "MDCX");
osmo_fsm_inst_dispatch(lchan->fi_rtp, LCHAN_RTP_EV_IPACC_MDCX_ACK, 0); @@ -2882,7 +2924,12 @@ struct abis_rsl_dchan_hdr *dh = msgb_l2(msg); struct tlv_parsed tv;
- rsl_tlv_parse(&tv, dh->data, msgb_l2len(msg)-sizeof(*dh)); + if (rsl_tlv_parse(&tv, dh->data, msgb_l2len(msg) - sizeof(*dh)) < 0) { + LOG_LCHAN(msg->lchan, LOGL_ERROR, "Failed to parse RSL %s\n", + rsl_or_ipac_msg_name(dh->c.msg_type)); + return -EINVAL; + } + LOG_LCHAN(msg->lchan, LOGL_NOTICE, "Rx IPACC DLCX IND%s\n", rsl_cause_name(&tv));