This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.
Harald Welte gerrit-no-reply at lists.osmocom.orgHarald Welte has uploaded this change for review. ( https://gerrit.osmocom.org/13570
Change subject: ggsn: Fix build_ipcp_pco() in presence of invalid IPCP content
......................................................................
ggsn: Fix build_ipcp_pco() in presence of invalid IPCP content
When build_ipcp_pco() iterated over the PCO list, it didn't use
the "outer" pco length as an increment, but used the "inner" IPCP
length.
If an IPCP message with an invalid "inner" length was being processed
(see pcap file attached to OS#3914), the PCO iteration beyond that
broken IPCP would fail, possibly rendering false hits.
Let's make pco_contains_proto() return a pointer to the the pco_element,
so that the caller can use the outer length as an increment.
Change-Id: I8e9cffde092c8c5824abfaeecb742afcf949802c
Related: OS#3914
---
M ggsn/ggsn.c
1 file changed, 7 insertions(+), 6 deletions(-)
git pull ssh://gerrit.osmocom.org:29418/osmo-ggsn refs/changes/70/13570/1
diff --git a/ggsn/ggsn.c b/ggsn/ggsn.c
index 2d1368b..eac7e16 100644
--- a/ggsn/ggsn.c
+++ b/ggsn/ggsn.c
@@ -471,8 +471,8 @@
} __attribute__((packed));
/* determine if PCO contains given protocol */
-static const uint8_t *pco_contains_proto(const struct ul255_t *pco, size_t offset,
- uint16_t prot, size_t prot_minlen)
+static const struct pco_element *pco_contains_proto(const struct ul255_t *pco, size_t offset,
+ uint16_t prot, size_t prot_minlen)
{
const uint8_t *cur = pco->v + 1 /*length*/ + offset;
@@ -480,7 +480,7 @@
while (cur + sizeof(struct pco_element) <= pco->v + pco->l) {
const struct pco_element *elem = (const struct pco_element *)cur;
if (ntohs(elem->protocol_id) == prot && elem->length >= prot_minlen)
- return cur;
+ return elem;
cur += elem->length + sizeof(struct pco_element);
}
return NULL;
@@ -515,7 +515,8 @@
{
const struct in46_addr *dns1 = &apn->v4.cfg.dns[0];
const struct in46_addr *dns2 = &apn->v4.cfg.dns[1];
- const uint8_t *ipcp, *pco_ipcp;
+ const struct pco_element *pco_ipcp;
+ const uint8_t *ipcp;
uint16_t ipcp_len;
uint8_t *len1, *len2;
unsigned int len_appended;
@@ -527,7 +528,7 @@
while (pco_ipcp) {
uint8_t *start = msg->tail;
- ipcp = (pco_ipcp + 3); /* 2=type + 1=len */
+ ipcp = pco_ipcp->data;
consumed = (ipcp - &pdp->pco_req.v[0]);
remain = sizeof(pdp->pco_req.v) - consumed;
ipcp_len = osmo_load16be(ipcp + 2); /* 1=code + 1=id */
@@ -560,7 +561,7 @@
*len1 = len_appended - 3;
*len2 = len_appended - 3;
- offset += 3 + ipcp_len;
+ offset += sizeof(pco_ipcp) + pco_ipcp->length;
pco_ipcp = pco_contains_proto(&pdp->pco_req, offset, PCO_P_IPCP, sizeof(struct ipcp_hdr));
}
--
To view, visit https://gerrit.osmocom.org/13570
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings
Gerrit-Project: osmo-ggsn
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: I8e9cffde092c8c5824abfaeecb742afcf949802c
Gerrit-Change-Number: 13570
Gerrit-PatchSet: 1
Gerrit-Owner: Harald Welte <laforge at gnumonks.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20190410/422fce23/attachment.htm>