From d34adb2f9f0190398bf124e3c44384dd72094676 Mon Sep 17 00:00:00 2001 From: Holger Hans Peter Freyther Date: Tue, 19 Mar 2013 20:50:36 +0100 Subject: [PATCH] nat: Fix authentication by-pass using shorter tokens The token was compared with the configured one but only up to a user supplied length. Compare the token sizes and then use memcmp for the actual comparison to make sure to compare the right ammount of characters. There is no unit-test but there should be one. --- openbsc/src/osmo-bsc_nat/bsc_nat.c | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/openbsc/src/osmo-bsc_nat/bsc_nat.c b/openbsc/src/osmo-bsc_nat/bsc_nat.c index dd06a70b6..792d33c23 100644 --- a/openbsc/src/osmo-bsc_nat/bsc_nat.c +++ b/openbsc/src/osmo-bsc_nat/bsc_nat.c @@ -943,8 +943,26 @@ static void ipaccess_auth_bsc(struct tlv_parsed *tvp, struct bsc_connection *bsc return; } + if (len <= 0) { + LOGP(DNAT, LOGL_ERROR, "Token with length zero on fd: %d\n", + bsc->write_queue.bfd.fd); + return; + } + + if (token[len - 1] != '\0') { + LOGP(DNAT, LOGL_ERROR, "Token not null terminated on fd: %d\n", + bsc->write_queue.bfd.fd); + return; + } + llist_for_each_entry(conf, &bsc->nat->bsc_configs, entry) { - if (strncmp(conf->token, token, len) == 0) { + /* + * Add the '\0' of the token for the memcmp, the IPA messages + * for some reason added null termination. + */ + const int token_len = strlen(conf->token) + 1; + + if (token_len == len && memcmp(conf->token, token, token_len) == 0) { rate_ctr_inc(&conf->stats.ctrg->ctr[BCFG_CTR_NET_RECONN]); bsc->authenticated = 1; bsc->cfg = conf; @@ -956,7 +974,7 @@ static void ipaccess_auth_bsc(struct tlv_parsed *tvp, struct bsc_connection *bsc } } - LOGP(DNAT, LOGL_ERROR, "No bsc found for token %s on fd: %d.\n", token, + LOGP(DNAT, LOGL_ERROR, "No bsc found for token '%s' on fd: %d.\n", token, bsc->write_queue.bfd.fd); }