[USSD] various USSD improvements

- Improved handling of extension-number string (as per review) - Guard against a buffer-overflow if mobile sends a too-long USSD - declare some function-parameters const - fix gsm_ts_name function to display the right BTS number (bts->nr rather than bts->bts_nr)
2009-10-26 20:36:34 +01:00 · 2009-10-26 20:36:34 +01:00 · c0c5079124
parent 775a1a4c46
commit c0c5079124
5 changed files with 20 additions and 14 deletions
--- a/openbsc/include/openbsc/gsm_04_80.h
+++ b/openbsc/include/openbsc/gsm_04_80.h
@ -125,17 +125,19 @@

 #include <openbsc/msgb.h>

+#define MAX_LEN_USSD_STRING	31
+
 struct ussd_request {
-			char text[32];
+			char text[MAX_LEN_USSD_STRING + 1];
 			u_int8_t transaction_id;
 			u_int8_t invoke_id;
 };

-int gsm0480_decode_ussd_request(struct msgb *msg, 
+int gsm0480_decode_ussd_request(const struct msgb *msg, 
 				struct ussd_request *request); 
-int gsm0480_send_ussd_response(struct msgb *in_msg, const char* response_text, 
+int gsm0480_send_ussd_response(const struct msgb *in_msg, const char* response_text, 
 						const struct ussd_request *req);
-int gsm0480_send_ussd_reject(struct msgb *msg, 
+int gsm0480_send_ussd_reject(const struct msgb *msg, 
 				const struct ussd_request *request);

 #endif
--- a/openbsc/include/openbsc/gsm_subscriber.h
+++ b/openbsc/include/openbsc/gsm_subscriber.h
@ -8,13 +8,14 @@
 #define GSM_IMEI_LENGTH 17
 #define GSM_IMSI_LENGTH 17
 #define GSM_NAME_LENGTH 128
-#define GSM_EXTENSION_LENGTH 128
+
+#define GSM_EXTENSION_LENGTH 15 /* MSISDN can only be 15 digits length */
+#define GSM_MIN_EXTEN 20000
+#define GSM_MAX_EXTEN 49999

 /* reserved according to GSM 03.03 § 2.4 */
 #define GSM_RESERVED_TMSI   0xFFFFFFFF

-#define GSM_MIN_EXTEN 20000
-#define GSM_MAX_EXTEN 49999

 #define GSM_SUBSCRIBER_FIRST_CONTACT	0x00000001
 #define tmsi_from_string(str) strtoul(str, NULL, 10)
--- a/openbsc/src/gsm_04_80.c
+++ b/openbsc/src/gsm_04_80.c
@ -70,7 +70,7 @@ static inline unsigned char *msgb_push_TLV1(struct msgb *msgb, u_int8_t tag,


 /* Decode a mobile-originated USSD-request message */
-int gsm0480_decode_ussd_request(struct msgb *msg, struct ussd_request *req)
+int gsm0480_decode_ussd_request(const struct msgb *msg, struct ussd_request *req)
 {
 	int rc = 0;
 	u_int8_t *parse_ptr = msgb_l3(msg);
@ -230,6 +230,9 @@ static int parse_process_uss_req(u_int8_t *uss_req_data, u_int8_t length,
 			if ((dcs == 0x0F) &&
 			    (uss_req_data[5] == ASN1_OCTET_STRING_TAG)) {
 				num_chars = (uss_req_data[6] * 8) / 7;
+				/* Prevent a mobile-originated buffer-overrun! */
+				if (num_chars > MAX_LEN_USSD_STRING)
+					num_chars = MAX_LEN_USSD_STRING;
 				gsm_7bit_decode(req->text,
 						&(uss_req_data[7]), num_chars);
 				/* append null-terminator */
@ -242,7 +245,7 @@ static int parse_process_uss_req(u_int8_t *uss_req_data, u_int8_t length,
 }

 /* Send response to a mobile-originated ProcessUnstructuredSS-Request */
-int gsm0480_send_ussd_response(struct msgb *in_msg, const char* response_text, 
+int gsm0480_send_ussd_response(const struct msgb *in_msg, const char* response_text, 
 						const struct ussd_request *req)
 {
 	struct msgb *msg = gsm48_msgb_alloc();
@ -295,7 +298,7 @@ int gsm0480_send_ussd_response(struct msgb *in_msg, const char* response_text,
 	return gsm48_sendmsg(msg, NULL);
 }

-int gsm0480_send_ussd_reject(struct msgb *in_msg, 
+int gsm0480_send_ussd_reject(const struct msgb *in_msg, 
 				const struct ussd_request *req)
 {
 	struct msgb *msg = gsm48_msgb_alloc();
--- a/openbsc/src/gsm_data.c
+++ b/openbsc/src/gsm_data.c
@ -232,7 +232,7 @@ static char ts2str[255];
 char *gsm_ts_name(struct gsm_bts_trx_ts *ts)
 {
 	snprintf(ts2str, sizeof(ts2str), "(bts=%d,trx=%d,ts=%d)",
-		 ts->trx->bts->bts_nr, ts->trx->nr, ts->nr);
+		 ts->trx->bts->nr, ts->trx->nr, ts->nr);

 	return ts2str;
 }
--- a/openbsc/src/ussd.c
+++ b/openbsc/src/ussd.c
@ -63,9 +63,9 @@ int handle_rcv_ussd(struct msgb *msg)
 static int send_own_number(const struct msgb *msg, const struct ussd_request *req)
 {
 	char *own_number = msg->lchan->subscr->extension;
-	/* Need trailing CR as EOT character */
-	char response_string[] = "Your extension is xxxxx\r";
+	char response_string[GSM_EXTENSION_LENGTH + 20];

-	memcpy(response_string + 18, own_number, 5);
+	/* Need trailing CR as EOT character */
+	snprintf(response_string, sizeof(response_string), "Your extension is %s\r", own_number);
 	return gsm0480_send_ussd_response(msg, response_string, req);
 }