[SECURITY] Fix GTPIE parsing DoS
This is taken from http://sourceforge.net/tracker/index.php?func=detail&aid=1811511&group_id=68956&atid=522957 and http://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg402969.html and addresses a DoS: The problem lies in the parsing of information elements in GTP messages, which is implemented in the gtpie_decaps function of gtp/gtpie.c file. The implementation has a bug that does not check if there are too many information elements in the message thus causing the software to loop infinitely in the while-loop. In addition, handling routine for the error situation had to be implemented outside the while-loop.
This commit is contained in:
parent
dd69266b10
commit
e67556e96f
|
@ -188,7 +188,7 @@ int gtpie_decaps(union gtpie_member* ie[], int version, void *pack, unsigned len
|
|||
|
||||
memset(ie, 0, 4 * GTPIE_SIZE);
|
||||
|
||||
while (p<end) {
|
||||
while ((p<end) && (j<GTPIE_SIZE)) {
|
||||
if (GTPIE_DEBUG) {
|
||||
printf("The packet looks like this:\n");
|
||||
for( i=0; i<(end-p); i++) {
|
||||
|
@ -346,6 +346,10 @@ int gtpie_decaps(union gtpie_member* ie[], int version, void *pack, unsigned len
|
|||
(unsigned long) p, (unsigned long) end);
|
||||
return 0; /* We landed at the end of the packet: OK */
|
||||
}
|
||||
else if (!(j<GTPIE_SIZE)) {
|
||||
if (GTPIE_DEBUG) printf("GTPIE too many elements.\n");
|
||||
return EOF; /* We received too many information elements */
|
||||
}
|
||||
else {
|
||||
if (GTPIE_DEBUG) printf("GTPIE exceeded end of packet. %lx %lx\n",
|
||||
(unsigned long) p, (unsigned long) end);
|
||||
|
|
Reference in New Issue