SCCP: enforce optional data length limits

Limit length of optional Data parameter to 130 bytes to conform with ITU-T Rec Q.713 §4.2..§4.5 while receiving SCCP messages. Related: OS#5579 Change-Id: Icc3bd0a71b29cf61a259c5d97e7dd85beb4397bd
2022-08-14 15:01:31 +07:00 · 2022-08-14 15:01:31 +07:00 · 4f9c66dc0f
parent 12e76b8859
commit 4f9c66dc0f
2 changed files with 29 additions and 2 deletions
--- a/include/osmocom/sccp/sccp_types.h
+++ b/include/osmocom/sccp/sccp_types.h
@ -24,6 +24,8 @@
 #include <osmocom/core/endian.h>
 #include <osmocom/core/utils.h>

+#define SCCP_MAX_OPTIONAL_DATA 130
+
 /* Table 1/Q.713 - SCCP message types */
 enum sccp_message_types {
 	SCCP_MSG_TYPE_CR	= 1,
--- a/src/sccp.c
+++ b/src/sccp.c
@ -20,6 +20,7 @@
 *
 */

+#include <errno.h>
 #include <string.h>

 #include <osmocom/core/msgb.h>
@ -27,7 +28,7 @@
 #include <osmocom/core/logging.h>
 #include <osmocom/core/endian.h>
 #include <osmocom/gsm/tlv.h>
-
+#include <osmocom/sccp/sccp_types.h>
 #include <osmocom/sccp/sccp.h>

 // Unassigned debug area
@ -226,6 +227,12 @@ int _sccp_parse_connection_request(struct msgb *msgb, struct sccp_parse_result *
 	}

 	if (optional_data.data_len != 0) {
+		if (optional_data.data_len > SCCP_MAX_OPTIONAL_DATA) {
+			LOGP(DSCCP, LOGL_ERROR,
+				 "optional data has length %u exceeding max of %u according to ITU-T Rec. Q.713 §4.2\n",
+				 optional_data.data_len, SCCP_MAX_OPTIONAL_DATA);
+			return -EMSGSIZE;
+		}
 		msgb->l3h = &msgb->l2h[optional_data.data_start];
 		result->data_len = optional_data.data_len;
 	} else {
@ -260,6 +267,12 @@ int _sccp_parse_connection_released(struct msgb *msgb, struct sccp_parse_result
 	result->destination_local_reference = &rls->destination_local_reference;

 	if (optional_data.data_len != 0) {
+		if (optional_data.data_len > SCCP_MAX_OPTIONAL_DATA) {
+			LOGP(DSCCP, LOGL_ERROR,
+				 "optional data has length %u exceeding max of %u according to ITU-T Rec. Q.713 §4.5\n",
+				 optional_data.data_len, SCCP_MAX_OPTIONAL_DATA);
+			return -EMSGSIZE;
+		}
 		msgb->l3h = &msgb->l2h[optional_data.data_start];
 		result->data_len = optional_data.data_len;
 	} else {
@ -297,6 +310,12 @@ int _sccp_parse_connection_refused(struct msgb *msgb, struct sccp_parse_result *

 	/* optional data */
 	if (optional_data.data_len != 0) {
+		if (optional_data.data_len > SCCP_MAX_OPTIONAL_DATA) {
+			LOGP(DSCCP, LOGL_ERROR,
+				 "optional data has length %u exceeding max of %u according to ITU-T Rec. Q.713 §4.4\n",
+				 optional_data.data_len, SCCP_MAX_OPTIONAL_DATA);
+			return -EMSGSIZE;
+		}
 		msgb->l3h = &msgb->l2h[optional_data.data_start];
 		result->data_len = optional_data.data_len;
 	} else {
@ -334,6 +353,12 @@ int _sccp_parse_connection_confirm(struct msgb *msgb, struct sccp_parse_result *
 	}

 	if (optional_data.data_len != 0) {
+		if (optional_data.data_len > SCCP_MAX_OPTIONAL_DATA) {
+			LOGP(DSCCP, LOGL_ERROR,
+				 "optional data has length %u exceeding max of %u according to ITU-T Rec. Q.713 §4.3\n",
+				 optional_data.data_len, SCCP_MAX_OPTIONAL_DATA);
+			return -EMSGSIZE;
+		}
 		msgb->l3h = &msgb->l2h[optional_data.data_start];
 		result->data_len = optional_data.data_len;
 	} else {
@ -818,7 +843,7 @@ struct msgb *sccp_create_cr(const struct sccp_source_reference *src_ref,
 	uint8_t extra_size = 3 + 1;
 	int called_len;

-	if (l3_data && (l3_length < 3 || l3_length > 130)) {
+	if (l3_data && (l3_length < 3 || l3_length > SCCP_MAX_OPTIONAL_DATA)) {
 		LOGP(DSCCP, LOGL_ERROR, "Invalid amount of data... %zu\n", l3_length);
 		return NULL;
 	}