pespin has uploaded this change for review. ( https://gerrit.osmocom.org/c/osmo-hnbgw/+/39480?usp=email ) Change subject: peek_l3_ul_nas: Improve RAU req parsing checks ...................................................................... peek_l3_ul_nas: Improve RAU req parsing checks Used recently updated osmo-sgsn gprs_gmm_parse_ra_upd_req() as a guide. Related: OS#6717 Change-Id: I1a6c642e7017e159a2035869c75475d0de7fbb75 --- M src/osmo-hnbgw/hnbgw_l3.c 1 file changed, 13 insertions(+), 8 deletions(-) git pull ssh://gerrit.osmocom.org:29418/osmo-hnbgw refs/changes/80/39480/1 diff --git a/src/osmo-hnbgw/hnbgw_l3.c b/src/osmo-hnbgw/hnbgw_l3.c index 86d39dc..5b3b870 100644 --- a/src/osmo-hnbgw/hnbgw_l3.c +++ b/src/osmo-hnbgw/hnbgw_l3.c @@ -121,6 +121,7 @@ return 0; } +/* Parse 24.008 9.4.14 RAU Request */ static int mobile_identity_decode_from_gmm_rau_req(struct osmo_mobile_identity *mi, struct osmo_routing_area_id *old_ra, int *nri, @@ -132,12 +133,15 @@ uint8_t ms_ra_acc_cap_len; int rc; - /* Update Type 10.5.5.18 */ - cur++; - if (cur >= end) + /* all mandatory fields + variable length MS Radio Cap (min value) would be 15 bytes. + * But even short radio capabilities we should handle with 14 bytes */ + if (l3_len < 14) return -ENOSPC; - /* Old routing area identification 10.5.5.15 */ + /* V: Update Type 10.5.5.18 */ + cur++; + + /* V: Old routing area identification 10.5.5.15 */ rc = osmo_routing_area_id_decode(old_ra, cur, end - cur); if (rc < 0) return rc; @@ -145,13 +149,14 @@ if (cur >= end) return -ENOSPC; - /* MS Radio Access Capability 10.5.5.12a */ + /* LV: MS Radio Access Capability 10.5.5.12a */ ms_ra_acc_cap_len = *cur++; + if (l3_len < (ms_ra_acc_cap_len + (cur - l3_data))) + return -ENOSPC; cur += ms_ra_acc_cap_len; - if (cur > end) - return -ENOSPC; - + if (l3_len == (cur - l3_data)) + return 0; /* No Optional TLV section */ decode_gmm_tlv(mi, old_ra, nri, cur, end - cur, allow_hex); return 0; } -- To view, visit https://gerrit.osmocom.org/c/osmo-hnbgw/+/39480?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email Gerrit-MessageType: newchange Gerrit-Project: osmo-hnbgw Gerrit-Branch: master Gerrit-Change-Id: I1a6c642e7017e159a2035869c75475d0de7fbb75 Gerrit-Change-Number: 39480 Gerrit-PatchSet: 1 Gerrit-Owner: pespin &lt;pespin(a)sysmocom.de&gt;