neels has uploaded this change for review.

View Change

hnbgw_rx_hnb_register_req(): guard against asn.1 parsing errors

Change-Id: I555f11cadc23ea231821bd48f7cd62953b022e9e
---
M src/osmo-hnbgw/hnbgw_hnbap.c
1 file changed, 17 insertions(+), 1 deletion(-)

git pull ssh://gerrit.osmocom.org:29418/osmo-hnbgw refs/changes/62/39362/1

diff --git a/src/osmo-hnbgw/hnbgw_hnbap.c b/src/osmo-hnbgw/hnbgw_hnbap.c
index e373600..ca46e55 100644
--- a/src/osmo-hnbgw/hnbgw_hnbap.c
+++ b/src/osmo-hnbgw/hnbgw_hnbap.c
@@ -465,6 +465,16 @@
 	return 0;
 }
 
+static bool is_asn1_octet_string_empty(const OCTET_STRING_t *val)
+{
+	return !val || !val->buf || !val->size;
+}
+
+static bool is_asn1_bit_string_empty(const BIT_STRING_t *val)
+{
+	return !val || !val->buf || !val->size;
+}
+
 static int hnbgw_rx_hnb_register_req(struct hnb_context *ctx, ANY_t *in)
 {
 	struct hnb_persistent *hnbp;
@@ -480,7 +490,13 @@
 	socklen_t len = sizeof(cur_osa);
 
 	rc = hnbap_decode_hnbregisterrequesties(&ies, in);
-	if (rc < 0) {
+	if (rc < 0
+	    /* CID#465551: make sure that actual values ended up in the asn1 octet strings: */
+	    || is_asn1_octet_string_empty(&ies.lac)
+	    || is_asn1_octet_string_empty(&ies.sac)
+	    || is_asn1_octet_string_empty(&ies.rac)
+	    || is_asn1_bit_string_empty(&ies.cellIdentity)
+	    || is_asn1_octet_string_empty(&ies.plmNidentity)) {
 		LOGHNB(ctx, DHNBAP, LOGL_ERROR, "Failure to decode HNB-REGISTER-REQ: rc=%d\n", rc);
 		cause.present = HNBAP_Cause_PR_protocol;
 		cause.choice.radioNetwork = HNBAP_CauseProtocol_unspecified;

To view, visit change 39362. To unsubscribe, or for help writing mail filters, visit settings.