cellular-infrastructure
/
osmo-msc
mirror of https://gerrit.osmocom.org/osmo-msc
9
0
Fork 0
Code Issues Releases Wiki Activity

gsm48: Add size checks to the paging response mi parsing. 

We go from no size checks to some content checking. We should
refactor the whole classmark2 + mi parsing that is used throughout
the code into one place with proper size checking. This is the
start and requires a new libosmocore as well.
This commit is contained in:
Holger Hans Peter Freyther 2010-05-16 01:51:14 +08:00
parent 5d65806472
commit f6903dee89
3 changed files with 17 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
openbsc/include/openbsc/gsm_04_08.h
View File

@ -52,7 +52,7 @@ int decode_bcd_number(char *output, int output_len, const u_int8_t *bcd_lv,
int h_len);
int send_siemens_mrpci(struct gsm_lchan *lchan, u_int8_t *classmark2_lv);
int gsm48_paging_extract_mi(struct msgb *msg, char *mi_string, u_int8_t *mi_type);
int gsm48_paging_extract_mi(struct gsm48_pag_resp *pag, int length, char *mi_string, u_int8_t *mi_type);
int gsm48_handle_paging_resp(struct msgb *msg, struct gsm_subscriber *subscr);
int gsm48_lchan_modify(struct gsm_lchan *lchan, u_int8_t lchan_mode);

5
openbsc/src/gsm_04_08.c
View File

@ -785,13 +785,16 @@ static int gsm48_rx_rr_pag_resp(struct msgb *msg)
{
struct gsm_bts *bts = msg->lchan->ts->trx->bts;
struct gsm48_hdr *gh = msgb_l3(msg);
struct gsm48_pag_resp *resp;
u_int8_t *classmark2_lv = gh->data + 1;
u_int8_t mi_type;
char mi_string[GSM48_MI_SIZE];
struct gsm_subscriber *subscr = NULL;
int rc = 0;
gsm48_paging_extract_mi(msg, mi_string, &mi_type);
resp = (struct gsm48_pag_resp *) &gh->data[0];
gsm48_paging_extract_mi(resp, msgb_l3len(msg) - sizeof(*gh),
mi_string, &mi_type);
DEBUGP(DRR, "PAGING RESPONSE: mi_type=0x%02x MI(%s)\n",
mi_type, mi_string);

17
openbsc/src/gsm_04_08_utils.c
View File

@ -243,13 +243,20 @@ int send_siemens_mrpci(struct gsm_lchan *lchan,
return rsl_siemens_mrpci(lchan, &mrpci);
}
int gsm48_paging_extract_mi(struct msgb *msg, char *mi_string, u_int8_t *mi_type)
int gsm48_paging_extract_mi(struct gsm48_pag_resp *resp, int length,
char *mi_string, u_int8_t *mi_type)
{
struct gsm48_hdr *gh = msgb_l3(msg);
u_int8_t *classmark2_lv = gh->data + 1;
u_int8_t *mi_lv = gh->data + 2 + *classmark2_lv;
*mi_type = mi_lv[1] & GSM_MI_TYPE_MASK;
u_int8_t *classmark2_lv = (uint8_t *) &resp->classmark2;
/* Check the size for the classmark */
if (length < 2 + *classmark2_lv)
return -1;
u_int8_t *mi_lv = classmark2_lv + *classmark2_lv + 1;
if (length < 3 + *classmark2_lv + mi_lv[0])
return -2;
*mi_type = mi_lv[1] & GSM_MI_TYPE_MASK;
return gsm48_mi_to_string(mi_string, GSM48_MI_SIZE, mi_lv+1, *mi_lv);
}