Change in osmo-ggsn[master]: sgsnemu: Pass array of in64_addr to in46a_from_eua()

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

laforge gerrit-no-reply at lists.osmocom.org
Tue Apr 14 13:18:21 UTC 2020 

laforge has submitted this change. ( https://gerrit.osmocom.org/c/osmo-ggsn/+/17764 )

Change subject: sgsnemu: Pass array of in64_addr to in46a_from_eua()
......................................................................

sgsnemu: Pass array of in64_addr to in46a_from_eua()

Let's avoid buffer-overflow writing into out-of-bounds memory in the
event the GGSN sends us 2 EUAs in Create PDP Context Respose. It should
theoretically happen since we don't yet support ipv4v6 APNs in sgsnemu,
but who knows.

Change-Id: I8becd90ce1f0e8bb6e21438c04da4a9cab845492
---
M sgsnemu/sgsnemu.c
1 file changed, 34 insertions(+), 30 deletions(-)

Approvals:
  laforge: Looks good to me, approved
  Jenkins Builder: Verified



diff --git a/sgsnemu/sgsnemu.c b/sgsnemu/sgsnemu.c
index fce5059..4341ca6 100644
--- a/sgsnemu/sgsnemu.c
+++ b/sgsnemu/sgsnemu.c
@@ -1409,8 +1409,8 @@
 
 static int create_pdp_conf(struct pdp_t *pdp, void *cbp, int cause)
 {
-	int rc;
-	struct in46_addr addr;
+	int rc, i, num_addr;
+	struct in46_addr addr[2];
 #if defined(__linux__)
 	sigset_t oldmask;
 #endif
@@ -1442,7 +1442,7 @@
 		return EOF;	/* Not what we expected */
 	}
 
-	if (in46a_from_eua(&pdp->eua, &addr) < 1) {
+	if ((num_addr = in46a_from_eua(&pdp->eua, addr)) < 1) {
 		printf
 		    ("Received create PDP context response. Cause value: %d\n",
 		     cause);
@@ -1452,20 +1452,7 @@
 		return EOF;	/* Not a valid IP address */
 	}
 
-	printf("Received create PDP context response. IP address: %s\n",
-	       in46a_ntoa(&addr));
-
-	switch (addr.len) {
-	case 16: /* IPv6 */
-		/* we have to enable the kernel to perform stateless autoconfiguration,
-		 * i.e. send a router solicitation using the lover 64bits of the allocated
-		 * EUA as interface identifier, as per 3GPP TS 29.061 Section 11.2.1.3.2 */
-		memcpy(addr.v6.s6_addr, ll_prefix, sizeof(ll_prefix));
-		printf("Derived IPv6 link-local address: %s\n", in46a_ntoa(&addr));
-		break;
-	case 4: /* IPv4 */
-		break;
-	}
+	printf("Received create PDP context response.\n");
 
 #if defined(__linux__)
 	if ((options.createif) && (options.netns)) {
@@ -1477,19 +1464,37 @@
 	}
 #endif
 
-	if ((options.createif) && (!options.net.len)) {
-		size_t prefixlen = 32;
-		if (addr.len == 16)
-			prefixlen = 64;
-		/* printf("Setting up interface and routing\n"); */
-		tun_addaddr(tun, &addr, &addr, prefixlen);
-		if (options.defaultroute) {
-			struct in_addr rm;
-			rm.s_addr = 0;
-			netdev_addroute(&rm, &addr.v4, &rm);
+	for (i = 0; i < num_addr; i++) {
+		printf("PDP ctx: received EUA with IP address: %s\n",  in46a_ntoa(&addr[i]));
+
+		switch (addr[i].len) {
+		case 16: /* IPv6 */
+			/* we have to enable the kernel to perform stateless autoconfiguration,
+			 * i.e. send a router solicitation using the lover 64bits of the allocated
+			 * EUA as interface identifier, as per 3GPP TS 29.061 Section 11.2.1.3.2 */
+			memcpy(addr[i].v6.s6_addr, ll_prefix, sizeof(ll_prefix));
+			printf("Derived IPv6 link-local address: %s\n", in46a_ntoa(&addr[i]));
+			break;
+		case 4: /* IPv4 */
+			break;
 		}
-		if (options.ipup)
-			tun_runscript(tun, options.ipup);
+
+		if ((options.createif) && (!options.net.len)) {
+			size_t prefixlen = 32;
+			if (addr[i].len == 16)
+				prefixlen = 64;
+			/* printf("Setting up interface and routing\n"); */
+			tun_addaddr(tun, &addr[i], &addr[i], prefixlen);
+			if (options.defaultroute) {
+				struct in_addr rm;
+				rm.s_addr = 0;
+				netdev_addroute(&rm, &addr[i].v4, &rm);
+			}
+			if (options.ipup)
+				tun_runscript(tun, options.ipup);
+		}
+
+		ipset(iph, &addr[i]);
 	}
 
 	/* now that ip-up has been executed, check if we are configured to
@@ -1526,7 +1531,6 @@
 	}
 #endif
 
-	ipset(iph, &addr);
 
 	state = 2;		/* Connected */
 

-- 
To view, visit https://gerrit.osmocom.org/c/osmo-ggsn/+/17764
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: osmo-ggsn
Gerrit-Branch: master
Gerrit-Change-Id: I8becd90ce1f0e8bb6e21438c04da4a9cab845492
Gerrit-Change-Number: 17764
Gerrit-PatchSet: 3
Gerrit-Owner: pespin <pespin at sysmocom.de>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: laforge <laforge at osmocom.org>
Gerrit-MessageType: merged
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20200414/ec963920/attachment.htm>

More information about the gerrit-log mailing list