[PATCH] USSD - address remaining review points, and guard against buffer overflow Signed-off-by: Mike Haben <michael.haben at btinternet.com>

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/OpenBSC@lists.osmocom.org/.

Mike Haben michael.haben at btinternet.com
Sat Oct 24 07:04:49 UTC 2009


---
 openbsc/include/openbsc/gsm_04_80.h      |   10 ++++++----
 openbsc/include/openbsc/gsm_subscriber.h |    7 ++++---
 openbsc/src/gsm_04_80.c                  |    9 ++++++---
 openbsc/src/gsm_data.c                   |    2 +-
 openbsc/src/ussd.c                       |    6 +++---
 5 files changed, 20 insertions(+), 14 deletions(-)
 mode change 100644 => 100755 openbsc/include/openbsc/gsm_04_80.h
 mode change 100644 => 100755 openbsc/include/openbsc/gsm_subscriber.h
 mode change 100644 => 100755 openbsc/src/gsm_04_80.c
 mode change 100644 => 100755 openbsc/src/gsm_data.c
 mode change 100644 => 100755 openbsc/src/ussd.c

diff --git a/openbsc/include/openbsc/gsm_04_80.h b/openbsc/include/openbsc/gsm_04_80.h
old mode 100644
new mode 100755
index 9bdf2c2..c240bbe
--- a/openbsc/include/openbsc/gsm_04_80.h
+++ b/openbsc/include/openbsc/gsm_04_80.h
@@ -125,17 +125,19 @@
 
 #include <openbsc/msgb.h>
 
+#define MAX_LEN_USSD_STRING	31
+
 struct ussd_request {
-			char text[32];
+			char text[MAX_LEN_USSD_STRING + 1];
 			u_int8_t transaction_id;
 			u_int8_t invoke_id;
 };
 
-int gsm0480_decode_ussd_request(struct msgb *msg, 
+int gsm0480_decode_ussd_request(const struct msgb *msg, 
 				struct ussd_request *request); 
-int gsm0480_send_ussd_response(struct msgb *in_msg, const char* response_text, 
+int gsm0480_send_ussd_response(const struct msgb *in_msg, const char* response_text, 
 						const struct ussd_request *req);
-int gsm0480_send_ussd_reject(struct msgb *msg, 
+int gsm0480_send_ussd_reject(const struct msgb *msg, 
 				const struct ussd_request *request);
 
 #endif
diff --git a/openbsc/include/openbsc/gsm_subscriber.h b/openbsc/include/openbsc/gsm_subscriber.h
old mode 100644
new mode 100755
index ea70c3a..b181917
--- a/openbsc/include/openbsc/gsm_subscriber.h
+++ b/openbsc/include/openbsc/gsm_subscriber.h
@@ -8,13 +8,14 @@
 #define GSM_IMEI_LENGTH 17
 #define GSM_IMSI_LENGTH 17
 #define GSM_NAME_LENGTH 128
-#define GSM_EXTENSION_LENGTH 128
+
+#define GSM_EXTENSION_LENGTH 6
+#define GSM_MIN_EXTEN 20000
+#define GSM_MAX_EXTEN 49999
 
 /* reserved according to GSM 03.03 § 2.4 */
 #define GSM_RESERVED_TMSI   0xFFFFFFFF
 
-#define GSM_MIN_EXTEN 20000
-#define GSM_MAX_EXTEN 49999
 
 #define GSM_SUBSCRIBER_FIRST_CONTACT	0x00000001
 #define tmsi_from_string(str) strtoul(str, NULL, 10)
diff --git a/openbsc/src/gsm_04_80.c b/openbsc/src/gsm_04_80.c
old mode 100644
new mode 100755
index 5d85c82..7f5089d
--- a/openbsc/src/gsm_04_80.c
+++ b/openbsc/src/gsm_04_80.c
@@ -70,7 +70,7 @@ static inline unsigned char *msgb_push_TLV1(struct msgb *msgb, u_int8_t tag,
 
 
 /* Decode a mobile-originated USSD-request message */
-int gsm0480_decode_ussd_request(struct msgb *msg, struct ussd_request *req)
+int gsm0480_decode_ussd_request(const struct msgb *msg, struct ussd_request *req)
 {
 	int rc = 0;
 	u_int8_t *parse_ptr = msgb_l3(msg);
@@ -230,6 +230,9 @@ static int parse_process_uss_req(u_int8_t *uss_req_data, u_int8_t length,
 			if ((dcs == 0x0F) &&
 			    (uss_req_data[5] == ASN1_OCTET_STRING_TAG)) {
 				num_chars = (uss_req_data[6] * 8) / 7;
+				/* Prevent a mobile-originated buffer-overrun! */
+				if (num_chars > MAX_LEN_USSD_STRING)
+					num_chars = MAX_LEN_USSD_STRING;
 				gsm_7bit_decode(req->text,
 						&(uss_req_data[7]), num_chars);
 				/* append null-terminator */
@@ -242,7 +245,7 @@ static int parse_process_uss_req(u_int8_t *uss_req_data, u_int8_t length,
 }
 
 /* Send response to a mobile-originated ProcessUnstructuredSS-Request */
-int gsm0480_send_ussd_response(struct msgb *in_msg, const char* response_text, 
+int gsm0480_send_ussd_response(const struct msgb *in_msg, const char* response_text, 
 						const struct ussd_request *req)
 {
 	struct msgb *msg = gsm48_msgb_alloc();
@@ -295,7 +298,7 @@ int gsm0480_send_ussd_response(struct msgb *in_msg, const char* response_text,
 	return gsm48_sendmsg(msg, NULL);
 }
 
-int gsm0480_send_ussd_reject(struct msgb *in_msg, 
+int gsm0480_send_ussd_reject(const struct msgb *in_msg, 
 				const struct ussd_request *req)
 {
 	struct msgb *msg = gsm48_msgb_alloc();
diff --git a/openbsc/src/gsm_data.c b/openbsc/src/gsm_data.c
old mode 100644
new mode 100755
index 6767c3f..2344d96
--- a/openbsc/src/gsm_data.c
+++ b/openbsc/src/gsm_data.c
@@ -224,7 +224,7 @@ static char ts2str[255];
 char *gsm_ts_name(struct gsm_bts_trx_ts *ts)
 {
 	snprintf(ts2str, sizeof(ts2str), "(bts=%d,trx=%d,ts=%d)",
-		 ts->trx->bts->bts_nr, ts->trx->nr, ts->nr);
+		 ts->trx->bts->nr, ts->trx->nr, ts->nr);
 
 	return ts2str;
 }
diff --git a/openbsc/src/ussd.c b/openbsc/src/ussd.c
old mode 100644
new mode 100755
index e414b1c..a3d11f0
--- a/openbsc/src/ussd.c
+++ b/openbsc/src/ussd.c
@@ -63,9 +63,9 @@ int handle_rcv_ussd(struct msgb *msg)
 static int send_own_number(const struct msgb *msg, const struct ussd_request *req)
 {
 	char *own_number = msg->lchan->subscr->extension;
-	/* Need trailing CR as EOT character */
-	char response_string[] = "Your extension is xxxxx\r";
+	char response_string[GSM_EXTENSION_LENGTH + 20];
 
-	memcpy(response_string + 18, own_number, 5);
+	/* Need trailing CR as EOT character */
+	snprintf(response_string, sizeof(response_string), "Your extension is %s\r", own_number);
 	return gsm0480_send_ussd_response(msg, response_string, req);
 }
-- 
1.6.0.4


--------------090904070701030605040309--




More information about the OpenBSC mailing list