pespin has uploaded this change for review. ( https://gerrit.osmocom.org/c/osmo-bsc/+/41449?usp=email )

Change subject: sccplite: rx mgcp: Make sure payload string is null-terminated ......................................................................

sccplite: rx mgcp: Make sure payload string is null-terminated

Change-Id: Iac3ea7dd5d89eb9ffb6d5123700e9dc9cdfc2ea2 --- M src/osmo-bsc/osmo_bsc_mgcp.c 1 file changed, 41 insertions(+), 7 deletions(-)

git pull ssh://gerrit.osmocom.org:29418/osmo-bsc refs/changes/49/41449/1

diff --git a/src/osmo-bsc/osmo_bsc_mgcp.c b/src/osmo-bsc/osmo_bsc_mgcp.c index 8eee71f..ec0bbe6 100644 --- a/src/osmo-bsc/osmo_bsc_mgcp.c +++ b/src/osmo-bsc/osmo_bsc_mgcp.c @@ -74,8 +74,7 @@ return 0; }

-/* We received an IPA-encapsulated MGCP message from a MSC. msg owned by caller. */ -int bsc_sccplite_rx_mgcp(struct bsc_msc_data *msc, struct msgb *msg) +static int _bsc_sccplite_rx_mgcp(struct bsc_msc_data *msc, struct msgb *msg) { struct gsm_subscriber_connection *conn; char rcv_ep_local_name[1024]; @@ -85,11 +84,14 @@ struct mgcp_client *mgcp_cli = NULL; int rc;

- LOG_MSC(msc, LOGL_INFO, "Received IPA-encapsulated MGCP: %s\n", msg->l2h); + LOG_MSC(msc, LOGL_INFO, + "Received IPA-encapsulated MGCP: %s\n", (const char *)msgb_l2(msg));

- rc = parse_local_endpoint_name(rcv_ep_local_name, sizeof(rcv_ep_local_name), (const char *)msg->l2h); + rc = parse_local_endpoint_name(rcv_ep_local_name, sizeof(rcv_ep_local_name), + (const char *)msgb_l2(msg)); if (rc < 0) { - LOG_MSC(msc, LOGL_ERROR, "Received IPA-encapsulated MGCP: Failed to parse CIC\n"); + LOG_MSC(msc, LOGL_ERROR, + "Received IPA-encapsulated MGCP: Failed to parse CIC\n"); return rc; }

@@ -104,7 +106,8 @@ if (!conn->user_plane.mgw_endpoint) continue; ep_local_name = osmo_mgcpc_ep_local_name(conn->user_plane.mgw_endpoint); - LOGPFSMSL(conn->fi, DMSC, LOGL_DEBUG, "ep_local_name='%s' vs rcv_ep_local_name='%s'\n", + LOGPFSMSL(conn->fi, DMSC, LOGL_DEBUG, + "ep_local_name='%s' vs rcv_ep_local_name='%s'\n", ep_local_name ? : "(null)", rcv_ep_local_name); if (!ep_local_name) continue; @@ -117,7 +120,8 @@ }

if (!mgcp_cli) { - LOG_MSC(msc, LOGL_ERROR, "Received IPA-encapsulated MGCP: Failed to find associated MGW\n"); + LOG_MSC(msc, LOGL_ERROR, + "Received IPA-encapsulated MGCP: Failed to find associated MGW\n"); return 0; }

@@ -147,6 +151,36 @@ return rc; }

+/* We received an IPA-encapsulated MGCP message from MSC. msg owned by caller. */ +int bsc_sccplite_rx_mgcp(struct bsc_msc_data *msc, struct msgb *msg) +{ + int rc; + struct msgb *msg_resized; + + if (msgb_l2len(msg) == 0) { + LOG_MSC(msc, LOGL_NOTICE, "Received empty IPA-encapsulated MGCP\n"); + return -ENODATA; + } + + /* Make sure we have a NULL-terminated string to be on the safe side: */ + if (*((const char *)msgb_l2(msg) + msgb_l2len(msg) - 1) == '\0') + return _bsc_sccplite_rx_mgcp(msc, msg); + + /* If there's extra space available in msgb from lower layers, simply nullify next char: */ + if (msgb_tailroom(msg) > 0) { + *msg->tail = '\0'; + return _bsc_sccplite_rx_mgcp(msc, msg); + } + + /* Otherwise, craft a resized message: */ + msg_resized = msgb_copy_resize(msg, msgb_length(msg)+1, "mgcp-resized"); + OSMO_ASSERT(msgb_tailroom(msg) == 1); + *msg->tail = '\0'; + rc = _bsc_sccplite_rx_mgcp(msc, msg_resized); + msgb_free(msg_resized); + return rc; +} + /* we received some data on the UDP proxy socket from the MGW. Pass it to MSC via IPA */ int bsc_sccplite_mgcp_proxy_cb(struct osmo_fd *ofd, unsigned int what) {