From e160ac6ea5850211f26495466a1f4d11b82714d2 Mon Sep 17 00:00:00 2001
From: Harald Welte <laforge@gnumonks.org>
Date: Sat, 9 Feb 2019 09:33:33 +0100
Subject: [PATCH] OML: Reject segmented OML messages

TS 12.21 describes segmenting of OML messages using placement
fist/middle/last and the "sequence' number of the OML header. We don't
implement this and hence must ignore or reject any related messages.

Before this patch however, we simply treated such segments as if they
were a complete OML message.  Let's fix that.

Change-Id: Idd42cf4edc1bf9ab366853bd9b0f7afd9c060910
Closes: OS#3795
---
 src/common/oml.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/common/oml.c b/src/common/oml.c
index c98ba9cd3..d389e2984 100644
--- a/src/common/oml.c
+++ b/src/common/oml.c
@@ -1424,7 +1424,7 @@ int down_oml(struct gsm_bts *bts, struct msgb *msg)
 	struct abis_om_hdr *oh = msgb_l2(msg);
 	int ret = 0;
 
-	if (msgb_l2len(msg) < 1) {
+	if (msgb_l2len(msg) < sizeof(*oh)) {
 		oml_tx_failure_event_rep(&bts->mo, OSMO_EVT_MAJ_UKWN_MSG,
 					 "OML message too short\n");
 		msgb_free(msg);
@@ -1432,6 +1432,14 @@ int down_oml(struct gsm_bts *bts, struct msgb *msg)
 	}
 	msg->l3h = (unsigned char *)oh + sizeof(*oh);
 
+	/* We don't implement de-segmentation of segmented OML messages */
+	if (oh->placement != ABIS_OM_PLACEMENT_ONLY || oh->sequence != 0) {
+		oml_tx_failure_event_rep(&bts->mo, OSMO_EVT_MAJ_UKWN_MSG,
+					 "Unsupported segmented O&M message\n");
+		msgb_free(msg);
+		return -EIO;
+	}
+
 	switch (oh->mdisc) {
 	case ABIS_OM_MDISC_FOM:
 		if (msgb_l2len(msg) < sizeof(*oh)) {