Change in ...libosmocore[master]: cbsp: Fix endless loop iteration when decoding cell list IEs

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

laforge gerrit-no-reply at lists.osmocom.org
Sun Sep 1 08:32:32 UTC 2019 

laforge has submitted this change and it was merged. ( https://gerrit.osmocom.org/c/libosmocore/+/15370 )

Change subject: cbsp: Fix endless loop iteration when decoding cell list IEs
......................................................................

cbsp: Fix endless loop iteration when decoding cell list IEs

The CBSP code assumed that gsm0808_decode_cell_id_u() would return
the number of bytes it has consumed/parsed.  But it actually always
returns '0', whcih makes us run in an endless loop :(

Change-Id: I5758af4ec11a827d4b888a3a16c4ec22de90a7d6
---
M include/osmocom/gsm/gsm0808_utils.h
M src/gsm/cbsp.c
M src/gsm/gsm0808_utils.c
3 files changed, 26 insertions(+), 4 deletions(-)

Approvals:
  Jenkins Builder: Verified
  laforge: Looks good to me, approved



diff --git a/include/osmocom/gsm/gsm0808_utils.h b/include/osmocom/gsm/gsm0808_utils.h
index 76db2b6..ccdf5ed 100644
--- a/include/osmocom/gsm/gsm0808_utils.h
+++ b/include/osmocom/gsm/gsm0808_utils.h
@@ -95,6 +95,7 @@
 int gsm0808_cell_id_to_cgi(struct osmo_cell_global_id *cgi, const struct gsm0808_cell_id *cid);
 void gsm0808_msgb_put_cell_id_u(struct msgb *msg, enum CELL_IDENT id_discr, const union gsm0808_cell_id_u *u);
 int gsm0808_decode_cell_id_u(union gsm0808_cell_id_u *out, enum CELL_IDENT discr, const uint8_t *buf, unsigned int len);
+int gsm0808_cell_id_size(enum CELL_IDENT discr);
 
 uint8_t gsm0808_enc_cause(struct msgb *msg, uint16_t cause);
 uint8_t gsm0808_enc_aoip_trasp_addr(struct msgb *msg,
diff --git a/src/gsm/cbsp.c b/src/gsm/cbsp.c
index 84b9235..c13be61 100644
--- a/src/gsm/cbsp.c
+++ b/src/gsm/cbsp.c
@@ -515,7 +515,7 @@
 			osmo_cbsp_errstr = "cell list: error decoding cell_id_union";
 			return rc;
 		}
-		cur += rc;
+		cur += gsm0808_cell_id_size(cl->id_discr);
 		llist_add_tail(&ent->list, &cl->list);
 	}
 	return 0;
@@ -538,7 +538,7 @@
 			osmo_cbsp_errstr = "fail list: error decoding cell_id_union";
 			return rc;
 		}
-		cur += rc;
+		cur += gsm0808_cell_id_size(ent->id_discr);
 		ent->cause = *cur++;
 		llist_add_tail(&ent->list, fl);
 	}
@@ -562,7 +562,7 @@
 			osmo_cbsp_errstr = "load list: error decoding cell_id_union";
 			return rc;
 		}
-		cur += rc;
+		cur += gsm0808_cell_id_size(ll->id_discr);
 		if (cur + 2 > buf + len) {
 			talloc_free(ent);
 			osmo_cbsp_errstr = "load list: truncated IE";
@@ -592,7 +592,7 @@
 			osmo_cbsp_errstr = "completed list: error decoding cell_id_union";
 			return rc;
 		}
-		cur += rc;
+		cur += gsm0808_cell_id_size(cl->id_discr);
 		if (cur + 3 > buf + len) {
 			talloc_free(ent);
 			osmo_cbsp_errstr = "completed list: truncated IE";
diff --git a/src/gsm/gsm0808_utils.c b/src/gsm/gsm0808_utils.c
index 364a04f..7416d8f 100644
--- a/src/gsm/gsm0808_utils.c
+++ b/src/gsm/gsm0808_utils.c
@@ -767,6 +767,27 @@
 	return (int)(elem - old_elem);
 }
 
+/* Return the size of the value part of a cell identifier of given type */
+int gsm0808_cell_id_size(enum CELL_IDENT discr)
+{
+	switch (discr) {
+	case CELL_IDENT_WHOLE_GLOBAL:
+		return 7;
+	case CELL_IDENT_LAC_AND_CI:
+		return 4;
+	case CELL_IDENT_CI:
+		return 2;
+	case CELL_IDENT_LAI_AND_LAC:
+		return 5;
+	case CELL_IDENT_LAC:
+		return 2;
+	case CELL_IDENT_BSS:
+	case CELL_IDENT_NO_CELL:
+		return 0;
+	default:
+		return -EINVAL;
+	}
+}
 /*! Decode a single GSM 08.08 Cell ID list element payload
  *  \param[out] out caller-provided output union
  *  \param[in] discr Cell ID discriminator describing type to be decoded

-- 
To view, visit https://gerrit.osmocom.org/c/libosmocore/+/15370
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: libosmocore
Gerrit-Branch: master
Gerrit-Change-Id: I5758af4ec11a827d4b888a3a16c4ec22de90a7d6
Gerrit-Change-Number: 15370
Gerrit-PatchSet: 1
Gerrit-Owner: laforge <laforge at gnumonks.org>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: laforge <laforge at gnumonks.org>
Gerrit-MessageType: merged
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20190901/5ed11be4/attachment.htm>

More information about the gerrit-log mailing list