neels has uploaded this change for review. ( https://gerrit.osmocom.org/c/osmo-hnbgw/+/39362?usp=email )

Change subject: hnbgw_rx_hnb_register_req(): guard against asn.1 parsing errors ......................................................................

hnbgw_rx_hnb_register_req(): guard against asn.1 parsing errors

Change-Id: I555f11cadc23ea231821bd48f7cd62953b022e9e --- M src/osmo-hnbgw/hnbgw_hnbap.c 1 file changed, 17 insertions(+), 1 deletion(-)

git pull ssh://gerrit.osmocom.org:29418/osmo-hnbgw refs/changes/62/39362/1

diff --git a/src/osmo-hnbgw/hnbgw_hnbap.c b/src/osmo-hnbgw/hnbgw_hnbap.c index e373600..ca46e55 100644 --- a/src/osmo-hnbgw/hnbgw_hnbap.c +++ b/src/osmo-hnbgw/hnbgw_hnbap.c @@ -465,6 +465,16 @@ return 0; }

+static bool is_asn1_octet_string_empty(const OCTET_STRING_t *val) +{ + return !val || !val->buf || !val->size; +} + +static bool is_asn1_bit_string_empty(const BIT_STRING_t *val) +{ + return !val || !val->buf || !val->size; +} + static int hnbgw_rx_hnb_register_req(struct hnb_context *ctx, ANY_t *in) { struct hnb_persistent *hnbp; @@ -480,7 +490,13 @@ socklen_t len = sizeof(cur_osa);

rc = hnbap_decode_hnbregisterrequesties(&ies, in); - if (rc < 0) { + if (rc < 0 + /* CID#465551: make sure that actual values ended up in the asn1 octet strings: */ + || is_asn1_octet_string_empty(&ies.lac) + || is_asn1_octet_string_empty(&ies.sac) + || is_asn1_octet_string_empty(&ies.rac) + || is_asn1_bit_string_empty(&ies.cellIdentity) + || is_asn1_octet_string_empty(&ies.plmNidentity)) { LOGHNB(ctx, DHNBAP, LOGL_ERROR, "Failure to decode HNB-REGISTER-REQ: rc=%d\n", rc); cause.present = HNBAP_Cause_PR_protocol; cause.choice.radioNetwork = HNBAP_CauseProtocol_unspecified;