cellular-infrastructure
/
openggsn
Archived
9
0
Fork 0
Code Releases Activity

[SECURITY] Fix GTPIE parsing DoS 

This is taken from http://sourceforge.net/tracker/index.php?func=detail&aid=1811511&group_id=68956&atid=522957 and http://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg402969.html and addresses a DoS:

The problem lies in the parsing of information elements in GTP messages, which
is implemented in the gtpie_decaps function of gtp/gtpie.c file.

The implementation has a bug that does not check if there are too many
information elements in the message thus causing the software to loop
infinitely in the while-loop.

In addition, handling routine for the error situation had to be implemented
outside the while-loop.
This commit is contained in:
Harald Welte 2010-05-04 10:59:23 +02:00
parent dd69266b10
commit e67556e96f
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
gtp/gtpie.c
View File

@ -188,7 +188,7 @@ int gtpie_decaps(union gtpie_member* ie[], int version, void *pack, unsigned len
memset(ie, 0, 4 * GTPIE_SIZE);
while (p<end) {
while ((p<end) && (j<GTPIE_SIZE)) {
if (GTPIE_DEBUG) {
printf("The packet looks like this:\n");
for( i=0; i<(end-p); i++) {
@ -346,6 +346,10 @@ int gtpie_decaps(union gtpie_member* ie[], int version, void *pack, unsigned len
(unsigned long) p, (unsigned long) end);
return 0; /* We landed at the end of the packet: OK */
}
else if (!(j<GTPIE_SIZE)) {
if (GTPIE_DEBUG) printf("GTPIE too many elements.\n");
return EOF; /* We received too many information elements */
}
else {
if (GTPIE_DEBUG) printf("GTPIE exceeded end of packet. %lx %lx\n",
(unsigned long) p, (unsigned long) end);