pespin has uploaded this change for review. ( https://gerrit.osmocom.org/c/osmo-hnbgw/+/39481?usp=email ) Change subject: peek_l3_ul_nas: Improve GMM Attach Req parsing checks ...................................................................... peek_l3_ul_nas: Improve GMM Attach Req parsing checks Related: OS#6717 Change-Id: Ic9815215d40d7bb59709dcbffa0a4673f1e0e710 --- M src/osmo-hnbgw/hnbgw_l3.c 1 file changed, 13 insertions(+), 7 deletions(-) git pull ssh://gerrit.osmocom.org:29418/osmo-hnbgw refs/changes/81/39481/1 diff --git a/src/osmo-hnbgw/hnbgw_l3.c b/src/osmo-hnbgw/hnbgw_l3.c index 5b3b870..591f3a5 100644 --- a/src/osmo-hnbgw/hnbgw_l3.c +++ b/src/osmo-hnbgw/hnbgw_l3.c @@ -68,6 +68,7 @@ } } +/* Parse 3GPP TS 24.008 § 9.4.1 Attach request */ static int mobile_identity_decode_from_gmm_att_req(struct osmo_mobile_identity *mi, struct osmo_routing_area_id *old_ra, int *nri, @@ -82,11 +83,16 @@ uint8_t ms_ra_acc_cap_len; int rc; + if (l3_len < 26) + return -ENOSPC; + /* MS network capability 10.5.5.12 */ msnc_len = *cur++; + if (l3_len < (msnc_len + (cur - l3_data))) + return -ENOSPC; cur += msnc_len; - /* aTTACH Type 10.5.5.2 */ + /* aTTACH Type 10.5.5.2 + Ciphering key sequence number 10.5.1.2 */ cur++; /* DRX parameter 10.5.5.6 */ @@ -95,10 +101,9 @@ /* Mobile Identity (P-TMSI or IMSI) 10.5.1.4 */ mi_len = *cur++; mi_data = cur; - cur += mi_len; - - if (cur >= end) + if (l3_len < (mi_len + (cur - l3_data))) return -ENOSPC; + cur += mi_len; rc = osmo_mobile_identity_decode(mi, mi_data, mi_len, allow_hex); if (rc) @@ -112,11 +117,12 @@ /* MS Radio Access Capability 10.5.5.12a */ ms_ra_acc_cap_len = *cur++; + if (l3_len < (ms_ra_acc_cap_len + (cur - l3_data))) + return -ENOSPC; cur += ms_ra_acc_cap_len; - if (cur > end) - return -ENOSPC; - + if (l3_len == (cur - l3_data)) + return 0; /* No Optional TLV section */ decode_gmm_tlv(mi, old_ra, nri, cur, end - cur, allow_hex); return 0; } -- To view, visit https://gerrit.osmocom.org/c/osmo-hnbgw/+/39481?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email Gerrit-MessageType: newchange Gerrit-Project: osmo-hnbgw Gerrit-Branch: master Gerrit-Change-Id: Ic9815215d40d7bb59709dcbffa0a4673f1e0e710 Gerrit-Change-Number: 39481 Gerrit-PatchSet: 1 Gerrit-Owner: pespin &lt;pespin(a)sysmocom.de&gt;