msc_cipher_mode_compl: Handle CIPH MOD COMPL without L3 message
According to TS 44.008 Section 3.2.1.31, the "Layer 3 Message Contents" IE of the BSSMAP Cipher Mode Complete is optional. The BSC may hence inlcude that IE or not include it. Without this patch, OsmoMSC is crashing if that IE was missing: <000a> a_iface_bssap.c:699 Rx BSC DT: 00 03 55 2c 02 <000a> a_iface_bssap.c:629 Rx MSC DT1 BSSMAP CIPHER MODE COMPLETE <001f> a_iface_bssap.c:91 Found A subscriber for conn_id 1 <000a> a_iface_bssap.c:415 BSC sends cipher mode complete (conn_id=1) ==5611== Invalid read of size 8 ==5611== at 0x128D0F: msc_cipher_mode_compl (osmo_msc.c:159) ==5611== by 0x114F62: bssmap_rx_ciph_compl.isra.8 (a_iface_bssap.c:432) ==5611== by 0x113267: sccp_sap_up (a_iface.c:520) Change-Id: I722f9b468b157b3736918f090daaa9489a6028ee Closes: OS#2871
This commit is contained in:
parent
49f8fcbd94
commit
284c39af2a
|
|
@ -156,43 +156,43 @@ void msc_classmark_chg(struct gsm_subscriber_connection *conn,
|
|||
void msc_cipher_mode_compl(struct gsm_subscriber_connection *conn,
|
||||
struct msgb *msg, uint8_t alg_id)
|
||||
{
|
||||
struct gsm48_hdr *gh = msgb_l3(msg);
|
||||
unsigned int payload_len = msgb_l3len(msg) - sizeof(*gh);
|
||||
struct tlv_parsed tp;
|
||||
uint8_t mi_type;
|
||||
char imeisv[GSM48_MI_SIZE] = "";
|
||||
struct vlr_ciph_result ciph_res = { .cause = VLR_CIPH_REJECT };
|
||||
|
||||
if (!gh) {
|
||||
LOGP(DRR, LOGL_ERROR, "invalid: msgb without l3 header\n");
|
||||
return;
|
||||
}
|
||||
|
||||
if (!conn) {
|
||||
LOGP(DRR, LOGL_ERROR,
|
||||
"invalid: rx Ciphering Mode Complete on NULL conn\n");
|
||||
LOGP(DRR, LOGL_ERROR, "invalid: rx Ciphering Mode Complete on NULL conn\n");
|
||||
return;
|
||||
}
|
||||
if (!conn->vsub) {
|
||||
LOGP(DRR, LOGL_ERROR,
|
||||
"invalid: rx Ciphering Mode Complete for NULL subscr\n");
|
||||
LOGP(DRR, LOGL_ERROR, "invalid: rx Ciphering Mode Complete for NULL subscr\n");
|
||||
return;
|
||||
}
|
||||
|
||||
DEBUGP(DRR, "%s: CIPHERING MODE COMPLETE\n",
|
||||
vlr_subscr_name(conn->vsub));
|
||||
DEBUGP(DRR, "%s: CIPHERING MODE COMPLETE\n", vlr_subscr_name(conn->vsub));
|
||||
|
||||
tlv_parse(&tp, &gsm48_att_tlvdef, gh->data, payload_len, 0, 0);
|
||||
if (msg) {
|
||||
struct gsm48_hdr *gh = msgb_l3(msg);
|
||||
unsigned int payload_len = msgb_l3len(msg) - sizeof(*gh);
|
||||
struct tlv_parsed tp;
|
||||
uint8_t mi_type;
|
||||
char imeisv[GSM48_MI_SIZE] = "";
|
||||
|
||||
/* bearer capability */
|
||||
if (TLVP_PRESENT(&tp, GSM48_IE_MOBILE_ID)) {
|
||||
mi_type = TLVP_VAL(&tp, GSM48_IE_MOBILE_ID)[0] & GSM_MI_TYPE_MASK;
|
||||
if (mi_type == GSM_MI_TYPE_IMEISV
|
||||
&& TLVP_LEN(&tp, GSM48_IE_MOBILE_ID) > 0) {
|
||||
gsm48_mi_to_string(imeisv, sizeof(imeisv),
|
||||
TLVP_VAL(&tp, GSM48_IE_MOBILE_ID),
|
||||
TLVP_LEN(&tp, GSM48_IE_MOBILE_ID));
|
||||
ciph_res.imeisv = imeisv;
|
||||
if (!gh) {
|
||||
LOGP(DRR, LOGL_ERROR, "invalid: msgb without l3 header\n");
|
||||
return;
|
||||
}
|
||||
|
||||
tlv_parse(&tp, &gsm48_att_tlvdef, gh->data, payload_len, 0, 0);
|
||||
|
||||
/* bearer capability */
|
||||
if (TLVP_PRESENT(&tp, GSM48_IE_MOBILE_ID)) {
|
||||
mi_type = TLVP_VAL(&tp, GSM48_IE_MOBILE_ID)[0] & GSM_MI_TYPE_MASK;
|
||||
if (mi_type == GSM_MI_TYPE_IMEISV
|
||||
&& TLVP_LEN(&tp, GSM48_IE_MOBILE_ID) > 0) {
|
||||
gsm48_mi_to_string(imeisv, sizeof(imeisv),
|
||||
TLVP_VAL(&tp, GSM48_IE_MOBILE_ID),
|
||||
TLVP_LEN(&tp, GSM48_IE_MOBILE_ID));
|
||||
ciph_res.imeisv = imeisv;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue