pespin has uploaded this change for review. ( https://gerrit.osmocom.org/c/osmo-hnbgw/+/39480?usp=email )
Change subject: peek_l3_ul_nas: Improve RAU req parsing checks ......................................................................
peek_l3_ul_nas: Improve RAU req parsing checks
Used recently updated osmo-sgsn gprs_gmm_parse_ra_upd_req() as a guide.
Related: OS#6717 Change-Id: I1a6c642e7017e159a2035869c75475d0de7fbb75 --- M src/osmo-hnbgw/hnbgw_l3.c 1 file changed, 13 insertions(+), 8 deletions(-)
git pull ssh://gerrit.osmocom.org:29418/osmo-hnbgw refs/changes/80/39480/1
diff --git a/src/osmo-hnbgw/hnbgw_l3.c b/src/osmo-hnbgw/hnbgw_l3.c index 86d39dc..5b3b870 100644 --- a/src/osmo-hnbgw/hnbgw_l3.c +++ b/src/osmo-hnbgw/hnbgw_l3.c @@ -121,6 +121,7 @@ return 0; }
+/* Parse 24.008 9.4.14 RAU Request */ static int mobile_identity_decode_from_gmm_rau_req(struct osmo_mobile_identity *mi, struct osmo_routing_area_id *old_ra, int *nri, @@ -132,12 +133,15 @@ uint8_t ms_ra_acc_cap_len; int rc;
- /* Update Type 10.5.5.18 */ - cur++; - if (cur >= end) + /* all mandatory fields + variable length MS Radio Cap (min value) would be 15 bytes. + * But even short radio capabilities we should handle with 14 bytes */ + if (l3_len < 14) return -ENOSPC;
- /* Old routing area identification 10.5.5.15 */ + /* V: Update Type 10.5.5.18 */ + cur++; + + /* V: Old routing area identification 10.5.5.15 */ rc = osmo_routing_area_id_decode(old_ra, cur, end - cur); if (rc < 0) return rc; @@ -145,13 +149,14 @@ if (cur >= end) return -ENOSPC;
- /* MS Radio Access Capability 10.5.5.12a */ + /* LV: MS Radio Access Capability 10.5.5.12a */ ms_ra_acc_cap_len = *cur++; + if (l3_len < (ms_ra_acc_cap_len + (cur - l3_data))) + return -ENOSPC; cur += ms_ra_acc_cap_len;
- if (cur > end) - return -ENOSPC; - + if (l3_len == (cur - l3_data)) + return 0; /* No Optional TLV section */ decode_gmm_tlv(mi, old_ra, nri, cur, end - cur, allow_hex); return 0; }
-
pespin