Change in osmo-msc[master]: libmsc/gsm_04_08.c: fix: do not crash on malformed Mobile Identity

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

fixeria gerrit-no-reply at lists.osmocom.org
Sat Dec 28 00:23:27 UTC 2019 

fixeria has uploaded this change for review. ( https://gerrit.osmocom.org/c/osmo-msc/+/16683 )


Change subject: libmsc/gsm_04_08.c: fix: do not crash on malformed Mobile Identity
......................................................................

libmsc/gsm_04_08.c: fix: do not crash on malformed Mobile Identity

Change-Id: Ica4c90b8eb4d90325313c6eb400fa4a6bc5df825
Fixes: OS#4340
---
M src/libmsc/gsm_04_08.c
1 file changed, 29 insertions(+), 0 deletions(-)



  git pull ssh://gerrit.osmocom.org:29418/osmo-msc refs/changes/83/16683/1

diff --git a/src/libmsc/gsm_04_08.c b/src/libmsc/gsm_04_08.c
index 750c766..331449a 100644
--- a/src/libmsc/gsm_04_08.c
+++ b/src/libmsc/gsm_04_08.c
@@ -192,6 +192,21 @@
 
 	DEBUGP(DMM, "IDENTITY RESPONSE: MI=%s\n", osmo_mi_name(mi, mi_len));
 
+	if (!mi_len)
+		return -EINVAL;
+	switch (mi[0] & GSM_MI_TYPE_MASK) {
+	case GSM_MI_TYPE_IMSI:
+	case GSM_MI_TYPE_IMEI:
+	case GSM_MI_TYPE_IMEISV:
+	case GSM_MI_TYPE_TMSI:
+		break;
+	default:
+		LOGP(DMM, LOGL_ERROR, "MM Identity Response contains "
+				      "unknown Mobile Identity type=0x%02x\n",
+				      mi[0] & GSM_MI_TYPE_MASK);
+		return -EINVAL;
+	}
+
 	osmo_signal_dispatch(SS_SUBSCR, S_SUBSCR_IDENTITY, gh->data);
 
 	return vlr_subscr_rx_id_resp(vsub, mi, mi_len);
@@ -1184,6 +1199,20 @@
 
 	if (!mi)
 		return 0;
+	if (!mi->len)
+		return -EINVAL;
+	switch (mi->val[0] & GSM_MI_TYPE_MASK) {
+	case GSM_MI_TYPE_IMSI:
+	case GSM_MI_TYPE_IMEI:
+	case GSM_MI_TYPE_IMEISV:
+	case GSM_MI_TYPE_TMSI:
+		break;
+	default:
+		LOGP(DMM, LOGL_ERROR, "RR Ciphering Mode Complete contains "
+				      "unknown Mobile Identity type=0x%02x\n",
+				      mi->val[0] & GSM_MI_TYPE_MASK);
+		return -EINVAL;
+	}
 
 	LOG_MSC_A(msc_a, LOGL_DEBUG, "RR Ciphering Mode Complete contains Mobile Identity: %s\n",
 		  osmo_mi_name(mi->val, mi->len));

-- 
To view, visit https://gerrit.osmocom.org/c/osmo-msc/+/16683
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: osmo-msc
Gerrit-Branch: master
Gerrit-Change-Id: Ica4c90b8eb4d90325313c6eb400fa4a6bc5df825
Gerrit-Change-Number: 16683
Gerrit-PatchSet: 1
Gerrit-Owner: fixeria <axilirator at gmail.com>
Gerrit-MessageType: newchange
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20191228/e0548ab4/attachment.htm>

More information about the gerrit-log mailing list