cellular-infrastructure
/
osmo-msc
mirror of https://gerrit.osmocom.org/osmo-msc
9
0
Fork 0
Code Issues Releases Wiki Activity
osmo-msc/src/libmsc
History
Vadim Yanitskiy 9d61db7f06 libmsc/db.c: fix storing SMS with empty TP-User-Data 
Thanks to db_sms_test, it was discovered that storing an SMS with
empty TP-User-Data (TP-UDL=1) causes buffer overruns in libdbi
and it's SQLite3 driver (libdbdsqlite3):

  DDB NOTICE test_db_sms_store('Empty TP-UD'): ==7791== Invalid write of size 2
  ==7791==    at 0x857DC60: dbd_quote_binary (in /usr/lib/x86_64-linux-gnu/dbd/libdbdsqlite3.so)
  ==7791==    by 0x5B2B321: dbi_conn_quote_binary_copy (in /usr/lib/x86_64-linux-gnu/libdbi.so.1.1.0)
  ==7791==    by 0x4073B1: db_sms_store (db.c:701)
  ==7791==    by 0x405BB5: test_db_sms_store (db_sms_test.c:310)
  ==7791==    by 0x405BB5: main (db_sms_test.c:546)
  ==7791==  Address 0x7ed1cf0 is 0 bytes after a block of size 0 alloc'd
  ==7791==    at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
  ==7791==    by 0x857DC4B: dbd_quote_binary (in /usr/lib/x86_64-linux-gnu/dbd/libdbdsqlite3.so)
  ==7791==    by 0x5B2B321: dbi_conn_quote_binary_copy (in /usr/lib/x86_64-linux-gnu/libdbi.so.1.1.0)
  ==7791==    by 0x4073B1: db_sms_store (db.c:701)
  ==7791==    by 0x405BB5: test_db_sms_store (db_sms_test.c:310)
  ==7791==    by 0x405BB5: main (db_sms_test.c:546)

  ...

  DDB NOTICE test_db_sms_get('Empty TP-UD'): ==8051== Invalid read of size 1
  ==8051==    at 0x5B30510: _dbd_decode_binary (in /usr/lib/x86_64-linux-gnu/libdbi.so.1.1.0)
  ==8051==    by 0x857D957: dbd_fetch_row (in /usr/lib/x86_64-linux-gnu/dbd/libdbdsqlite3.so)
  ==8051==    by 0x5B2C86E: dbi_result_seek_row (in /usr/lib/x86_64-linux-gnu/libdbi.so.1.1.0)
  ==8051==    by 0x40828F: next_row (db.c:188)
  ==8051==    by 0x40828F: db_sms_get (db.c:805)
  ==8051==    by 0x406C29: test_db_sms_get (db_sms_test.c:390)
  ==8051==    by 0x405C14: main (db_sms_test.c:547)
  ==8051==  Address 0x8f74641 is 0 bytes after a block of size 1 alloc'd
  ==8051==    at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
  ==8051==    by 0x5DBEB49: strdup (strdup.c:42)
  ==8051==    by 0x857D93C: dbd_fetch_row (in /usr/lib/x86_64-linux-gnu/dbd/libdbdsqlite3.so)
  ==8051==    by 0x5B2C86E: dbi_result_seek_row (in /usr/lib/x86_64-linux-gnu/libdbi.so.1.1.0)
  ==8051==    by 0x40828F: next_row (db.c:188)
  ==8051==    by 0x40828F: db_sms_get (db.c:805)
  ==8051==    by 0x406C29: test_db_sms_get (db_sms_test.c:390)
  ==8051==    by 0x405C14: main (db_sms_test.c:547)
  ==8051==
  success, as expected
  DDB NOTICE verify_sms('Empty TP-UD'): user_data_len mismatch: E0 vs A3

Apparently, dbi_conn_quote_binary_copy() doesn't properly handle
zero-length input. Let's guard against this.

Observed with:

  - libdbi-dev 0.9.0-1
  - libdbd-sqlite3:amd64 0.9.0-2ubuntu2

Change-Id: If0b2bb557118c5f0e520a2e6c2816336f6028661
 		2019-06-03 17:28:44 +07:00
..
Makefile.am large refactoring: support inter-BSC and inter-MSC Handover 2019-05-08 17:02:32 +02:00
call_leg.c Request Osmux CID and forward it in Assign Req and Assign Compl 2019-05-21 18:32:38 +02:00
cell_id_list.c large refactoring: support inter-BSC and inter-MSC Handover 2019-05-08 17:02:32 +02:00
ctrl_commands.c vlr_subscr: use osmo_use_count 2019-04-12 02:15:25 +02:00
db.c libmsc/db.c: fix storing SMS with empty TP-User-Data 2019-06-03 17:28:44 +07:00
e_link.c GSUP: include terminating nul in inter-MSC source/destination name 2019-05-08 17:02:32 +02:00
gsm_04_08.c libmsc/gsm_04_08.c: clarify IMEI rejection in gsm48_rx_mm_serv_req() 2019-05-12 10:35:18 +00:00
gsm_04_08_cc.c fix regression: fix internal MNCC operation 2019-05-09 01:23:09 +02:00
gsm_04_11.c libmsc/gsm_04_11.c: properly handle MMTS indication 2019-05-19 07:34:35 +00:00
gsm_04_11_gsup.c libmsc/gsm_04_11.c: properly handle MMTS indication 2019-05-19 07:34:35 +00:00
gsm_04_14.c rename bscconfig.h to config.h, cleanup 2019-05-08 17:02:32 +02:00
gsm_04_80.c large refactoring: support inter-BSC and inter-MSC Handover 2019-05-08 17:02:32 +02:00
gsm_09_11.c add DSS logging category 2019-05-12 10:32:42 +00:00
gsup_client_mux.c large refactoring: support inter-BSC and inter-MSC Handover 2019-05-08 17:02:32 +02:00
mncc.c large refactoring: support inter-BSC and inter-MSC Handover 2019-05-08 17:02:32 +02:00
mncc_builtin.c fix regression: fix internal MNCC operation 2019-05-09 01:23:09 +02:00
mncc_call.c libmsc/mncc_call.c: fix uninitialized access of stack memory 2019-05-13 20:15:04 +00:00
mncc_sock.c fix regression: fix internal MNCC operation 2019-05-09 01:23:09 +02:00
msc_a.c Request Osmux CID and forward it in Assign Req and Assign Compl 2019-05-21 18:32:38 +02:00
msc_a_remote.c large refactoring: support inter-BSC and inter-MSC Handover 2019-05-08 17:02:32 +02:00
msc_ho.c libmsc/msc_ho.c: fix unreacheable check of MSC-T role allocation 2019-05-13 20:15:04 +00:00
msc_i.c call_leg: remove unused event MSC_EV_CALL_LEG_RTP_RELEASED 2019-05-10 07:13:41 +00:00
msc_i_remote.c large refactoring: support inter-BSC and inter-MSC Handover 2019-05-08 17:02:32 +02:00
msc_net_init.c rename bscconfig.h to config.h, cleanup 2019-05-08 17:02:32 +02:00
msc_t.c Use GSM23003_MSISDN_MAX_DIGITS from libosmogsm 2019-05-29 08:48:16 +00:00
msc_t_remote.c large refactoring: support inter-BSC and inter-MSC Handover 2019-05-08 17:02:32 +02:00
msc_vty.c libmsc/msc_vty.c: do not abuse strlen() to check char buffers 2019-06-03 07:18:41 +00:00
msub.c msub_check_for_release(): Initialize msc_role_a_c 2019-05-09 08:42:48 +00:00
neighbor_ident.c large refactoring: support inter-BSC and inter-MSC Handover 2019-05-08 17:02:32 +02:00
neighbor_ident_vty.c large refactoring: support inter-BSC and inter-MSC Handover 2019-05-08 17:02:32 +02:00
paging.c large refactoring: support inter-BSC and inter-MSC Handover 2019-05-08 17:02:32 +02:00
ran_conn.c large refactoring: support inter-BSC and inter-MSC Handover 2019-05-08 17:02:32 +02:00
ran_infra.c rename bscconfig.h to config.h, cleanup 2019-05-08 17:02:32 +02:00
ran_msg.c large refactoring: support inter-BSC and inter-MSC Handover 2019-05-08 17:02:32 +02:00
ran_msg_a.c Request Osmux CID and forward it in Assign Req and Assign Compl 2019-05-21 18:32:38 +02:00
ran_msg_iu.c Iu: Send SMS over SAPI-3 2019-05-10 23:56:49 +02:00
ran_peer.c bssap: Detect BSC Osmux support on RESET (ACK) recv 2019-05-19 07:28:02 +00:00
ran_up_l2.c large refactoring: support inter-BSC and inter-MSC Handover 2019-05-08 17:02:32 +02:00
rrlp.c large refactoring: support inter-BSC and inter-MSC Handover 2019-05-08 17:02:32 +02:00
rtp_stream.c Request Osmux CID and forward it in Assign Req and Assign Compl 2019-05-21 18:32:38 +02:00
sccp_ran.c large refactoring: support inter-BSC and inter-MSC Handover 2019-05-08 17:02:32 +02:00
sgs_iface.c sgs_iface: detect and react to VLR/HLR failure 2019-05-27 11:49:50 +00:00
sgs_server.c libmsc/sgs_server.c: do not override rc in case of SCTP_SHUTDOWN_EVENT 2019-05-13 20:15:04 +00:00
sgs_vty.c libmsc: fix: properly initialize the SGs server 2019-03-28 17:10:11 +07:00
silent_call.c large refactoring: support inter-BSC and inter-MSC Handover 2019-05-08 17:02:32 +02:00
smpp_openbsc.c smpp: Make libsmpp34 use talloc for its allocations 2019-05-08 23:49:45 +02:00
smpp_smsc.c smpp_smsc: Call destroy_tlv() when using build_tlv() 2019-04-10 10:53:23 +00:00
smpp_smsc.h SMPP: Don't accept password or system-id exceeding spec length 2019-05-10 07:07:00 +00:00
smpp_utils.c dissolve libcommon: drop debug.c 2018-03-22 17:05:42 +01:00
smpp_vty.c Write configuration correctly from vty (alert notifications) 2019-03-29 22:48:38 +00:00
sms_queue.c Use GSM23003_MSISDN_MAX_DIGITS from libosmogsm 2019-05-29 08:48:16 +00:00
transaction.c transaction: accept trans_type enum in trans_log_subsys() 2019-05-26 09:27:22 +00:00