mirror of https://gerrit.osmocom.org/libosmocore
constrain gsm48_generate_mid() output array bounds
The longest BCd-digit type identity is the IMEISV with 16, so there's no point in trying to parse up to 255 decimal digits, which will do nothing but to overflow the caller-provided output buffer. Let's also clearly define the required minimum size of the output buffer and add a reltead #define for it. Change-Id: Ic8488bc7f77dc9182e372741b88f0f06100dddc9
This commit is contained in:
parent
1317771c93
commit
1c3bae138c
|
@ -45,6 +45,7 @@ void gsm48_generate_lai(struct gsm48_loc_area_id *lai48, uint16_t mcc,
|
||||||
OSMO_DEPRECATED("Use gsm48_generate_lai2() instead, to not lose leading zeros in the MNC");
|
OSMO_DEPRECATED("Use gsm48_generate_lai2() instead, to not lose leading zeros in the MNC");
|
||||||
void gsm48_generate_lai2(struct gsm48_loc_area_id *lai48, const struct osmo_location_area_id *lai);
|
void gsm48_generate_lai2(struct gsm48_loc_area_id *lai48, const struct osmo_location_area_id *lai);
|
||||||
|
|
||||||
|
#define GSM48_MID_MAX_SIZE 11
|
||||||
int gsm48_generate_mid_from_tmsi(uint8_t *buf, uint32_t tmsi);
|
int gsm48_generate_mid_from_tmsi(uint8_t *buf, uint32_t tmsi);
|
||||||
int gsm48_generate_mid_from_imsi(uint8_t *buf, const char *imsi);
|
int gsm48_generate_mid_from_imsi(uint8_t *buf, const char *imsi);
|
||||||
uint8_t gsm48_generate_mid(uint8_t *buf, const char *id, uint8_t mi_type);
|
uint8_t gsm48_generate_mid(uint8_t *buf, const char *id, uint8_t mi_type);
|
||||||
|
|
|
@ -1156,7 +1156,7 @@ int bssgp_tx_dl_ud(struct msgb *msg, uint16_t pdu_lifetime,
|
||||||
|
|
||||||
/* IMSI */
|
/* IMSI */
|
||||||
if (dup->imsi && strlen(dup->imsi)) {
|
if (dup->imsi && strlen(dup->imsi)) {
|
||||||
uint8_t mi[10];
|
uint8_t mi[GSM48_MID_MAX_SIZE];
|
||||||
int imsi_len = gsm48_generate_mid_from_imsi(mi, dup->imsi);
|
int imsi_len = gsm48_generate_mid_from_imsi(mi, dup->imsi);
|
||||||
if (imsi_len > 2)
|
if (imsi_len > 2)
|
||||||
msgb_tvlv_push(msg, BSSGP_IE_IMSI,
|
msgb_tvlv_push(msg, BSSGP_IE_IMSI,
|
||||||
|
@ -1205,7 +1205,7 @@ int bssgp_tx_paging(uint16_t nsei, uint16_t ns_bvci,
|
||||||
struct bssgp_normal_hdr *bgph =
|
struct bssgp_normal_hdr *bgph =
|
||||||
(struct bssgp_normal_hdr *) msgb_put(msg, sizeof(*bgph));
|
(struct bssgp_normal_hdr *) msgb_put(msg, sizeof(*bgph));
|
||||||
uint16_t drx_params = osmo_htons(pinfo->drx_params);
|
uint16_t drx_params = osmo_htons(pinfo->drx_params);
|
||||||
uint8_t mi[10];
|
uint8_t mi[GSM48_MID_MAX_SIZE];
|
||||||
int imsi_len = gsm48_generate_mid_from_imsi(mi, pinfo->imsi);
|
int imsi_len = gsm48_generate_mid_from_imsi(mi, pinfo->imsi);
|
||||||
struct gsm48_ra_id ra;
|
struct gsm48_ra_id ra;
|
||||||
|
|
||||||
|
|
|
@ -178,7 +178,7 @@ int bssgp_tx_radio_status_imsi(struct bssgp_bvc_ctx *bctx, uint8_t cause,
|
||||||
const char *imsi)
|
const char *imsi)
|
||||||
{
|
{
|
||||||
struct msgb *msg = common_tx_radio_status(bctx);
|
struct msgb *msg = common_tx_radio_status(bctx);
|
||||||
uint8_t mi[10];
|
uint8_t mi[GSM48_MID_MAX_SIZE];
|
||||||
int imsi_len = gsm48_generate_mid_from_imsi(mi, imsi);
|
int imsi_len = gsm48_generate_mid_from_imsi(mi, imsi);
|
||||||
|
|
||||||
if (!msg)
|
if (!msg)
|
||||||
|
|
|
@ -637,20 +637,23 @@ int gsm48_generate_mid_from_tmsi(uint8_t *buf, uint32_t tmsi)
|
||||||
return 7;
|
return 7;
|
||||||
}
|
}
|
||||||
|
|
||||||
/*! Generate TS 24.008 §10.5.1.4 Mobile ID
|
/*! Generate TS 24.008 §10.5.1.4 Mobile ID of BCD type from ASCII string
|
||||||
* \param[out] buf Caller-provided output buffer
|
* \param[out] buf Caller-provided output buffer of at least GSM48_MID_MAX_SIZE bytes
|
||||||
* \param[in] id Identity to be encoded
|
* \param[in] id Identity to be encoded
|
||||||
* \param[in] mi_type Type of identity (e.g. GSM_MI_TYPE_TMSI)
|
* \param[in] mi_type Type of identity (e.g. GSM_MI_TYPE_IMSI, IMEI, IMEISV)
|
||||||
* \returns number of bytes used in \a buf */
|
* \returns number of bytes used in \a buf */
|
||||||
uint8_t gsm48_generate_mid(uint8_t *buf, const char *id, uint8_t mi_type)
|
uint8_t gsm48_generate_mid(uint8_t *buf, const char *id, uint8_t mi_type)
|
||||||
{
|
{
|
||||||
uint8_t length = strnlen(id, 255), i, off = 0, odd = (length & 1) == 1;
|
uint8_t length = strnlen(id, 16), i, off = 0, odd = (length & 1) == 1;
|
||||||
|
/* maximum length == 16 (IMEISV) */
|
||||||
|
|
||||||
buf[0] = GSM48_IE_MOBILE_ID;
|
buf[0] = GSM48_IE_MOBILE_ID;
|
||||||
buf[2] = osmo_char2bcd(id[0]) << 4 | (mi_type & GSM_MI_TYPE_MASK) | (odd << 3);
|
buf[2] = osmo_char2bcd(id[0]) << 4 | (mi_type & GSM_MI_TYPE_MASK) | (odd << 3);
|
||||||
|
|
||||||
/* if the length is even we will fill half of the last octet */
|
/* if the length is even we will fill half of the last octet */
|
||||||
buf[1] = (length + (odd ? 1 : 2)) >> 1;
|
buf[1] = (length + (odd ? 1 : 2)) >> 1;
|
||||||
|
/* buf[1] maximum = 18/2 = 9 */
|
||||||
|
OSMO_ASSERT(buf[1] <= 9);
|
||||||
|
|
||||||
for (i = 1; i < buf[1]; ++i) {
|
for (i = 1; i < buf[1]; ++i) {
|
||||||
uint8_t upper, lower = osmo_char2bcd(id[++off]);
|
uint8_t upper, lower = osmo_char2bcd(id[++off]);
|
||||||
|
@ -662,6 +665,7 @@ uint8_t gsm48_generate_mid(uint8_t *buf, const char *id, uint8_t mi_type)
|
||||||
buf[2 + i] = (upper << 4) | lower;
|
buf[2 + i] = (upper << 4) | lower;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* maximum return value: 2 + 9 = 11 */
|
||||||
return 2 + buf[1];
|
return 2 + buf[1];
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue