fix the buffer overflow (CVE-2021-41794)
This commit is contained in:
parent
0fb8279e36
commit
bfa34be222
|
@ -555,7 +555,7 @@ int ogs_pco_build(unsigned char *data, int data_len, ogs_pco_t *pco);
|
|||
|
||||
/* Flags(1) + TEID Range(1) + IPV4(4) + IPV6(16) + Source Interface(1) = 23 */
|
||||
#define OGS_MAX_USER_PLANE_IP_RESOURCE_INFO_LEN \
|
||||
(23 + OGS_MAX_APN_LEN)
|
||||
(23 + (OGS_MAX_APN_LEN+1))
|
||||
typedef struct ogs_user_plane_ip_resource_info_s {
|
||||
union {
|
||||
struct {
|
||||
|
@ -580,7 +580,7 @@ ED6(uint8_t spare:1;,
|
|||
uint8_t teid_range;
|
||||
uint32_t addr;
|
||||
uint8_t addr6[OGS_IPV6_LEN];
|
||||
char network_instance[OGS_MAX_APN_LEN];
|
||||
char network_instance[OGS_MAX_APN_LEN+1];
|
||||
uint8_t source_interface;
|
||||
} __attribute__ ((packed)) ogs_user_plane_ip_resource_info_t;
|
||||
|
||||
|
|
|
@ -28,13 +28,13 @@ type_list["Header compression configuration"]["encode"] = \
|
|||
|
||||
type_list["DNN"]["decode"] = \
|
||||
" {\n" \
|
||||
" char data_network_name[OGS_MAX_DNN_LEN];\n" \
|
||||
" char data_network_name[OGS_MAX_DNN_LEN+1];\n" \
|
||||
" dnn->length = ogs_fqdn_parse(data_network_name, dnn->value, ogs_min(dnn->length, OGS_MAX_DNN_LEN+1));\n" \
|
||||
" if (dnn->length > 0) {\n" \
|
||||
" ogs_cpystrn(dnn->value, data_network_name, ogs_min(dnn->length, OGS_MAX_DNN_LEN) + 1);\n" \
|
||||
" } else {\n" \
|
||||
" ogs_error(\"UE not APN setting\");\n" \
|
||||
" }\n" \
|
||||
" ogs_cpystrn(dnn->value, data_network_name, ogs_min(dnn->length, OGS_MAX_DNN_LEN)+1);\n" \
|
||||
" } else {\n" \
|
||||
" ogs_error(\"UE not APN setting\");\n" \
|
||||
" }\n" \
|
||||
" }\n\n"
|
||||
|
||||
type_list["DNN"]["encode"] = \
|
||||
|
|
|
@ -40,7 +40,7 @@ typedef struct ogs_nas_5gs_guti_s {
|
|||
* O TLV 3-102 */
|
||||
typedef struct ogs_nas_dnn_s {
|
||||
uint8_t length;
|
||||
char value[OGS_MAX_DNN_LEN];
|
||||
char value[OGS_MAX_DNN_LEN+1];
|
||||
} ogs_nas_dnn_t;
|
||||
|
||||
/* 9.11.2.2 EAP message
|
||||
|
|
|
@ -28,7 +28,7 @@
|
|||
/*******************************************************************************
|
||||
* This file had been created by nas-message.py script v0.1.0
|
||||
* Please do not modify this file but regenerate it via script.
|
||||
* Created on: 2021-10-13 22:56:00.082596 by acetcom
|
||||
* Created on: 2021-11-15 15:24:45.981268 by acetcom
|
||||
* from 24301-g40.docx
|
||||
******************************************************************************/
|
||||
|
||||
|
|
|
@ -28,7 +28,7 @@
|
|||
/*******************************************************************************
|
||||
* This file had been created by nas-message.py script v0.1.0
|
||||
* Please do not modify this file but regenerate it via script.
|
||||
* Created on: 2021-10-13 22:56:00.091945 by acetcom
|
||||
* Created on: 2021-11-15 15:24:45.990017 by acetcom
|
||||
* from 24301-g40.docx
|
||||
******************************************************************************/
|
||||
|
||||
|
|
|
@ -28,7 +28,7 @@
|
|||
/*******************************************************************************
|
||||
* This file had been created by nas-message.py script v0.1.0
|
||||
* Please do not modify this file but regenerate it via script.
|
||||
* Created on: 2021-10-13 22:56:00.070665 by acetcom
|
||||
* Created on: 2021-11-15 15:24:45.969895 by acetcom
|
||||
* from 24301-g40.docx
|
||||
******************************************************************************/
|
||||
|
||||
|
@ -3013,13 +3013,13 @@ int ogs_nas_eps_decode_access_point_name(ogs_nas_access_point_name_t *access_poi
|
|||
memcpy(access_point_name, pkbuf->data - size, size);
|
||||
|
||||
{
|
||||
char apn[OGS_MAX_APN_LEN];
|
||||
char apn[OGS_MAX_APN_LEN+1];
|
||||
access_point_name->length = ogs_fqdn_parse(apn, access_point_name->apn, ogs_min(access_point_name->length, OGS_MAX_APN_LEN+1));
|
||||
if (access_point_name->length > 0) {
|
||||
ogs_cpystrn(access_point_name->apn, apn, ogs_min(access_point_name->length, OGS_MAX_APN_LEN) + 1);
|
||||
} else {
|
||||
ogs_error("UE not APN setting");
|
||||
}
|
||||
if (access_point_name->length > 0) {
|
||||
ogs_cpystrn(access_point_name->apn, apn, ogs_min(access_point_name->length, OGS_MAX_APN_LEN)+1);
|
||||
} else {
|
||||
ogs_error("UE not APN setting");
|
||||
}
|
||||
}
|
||||
|
||||
ogs_trace(" ACCESS_POINT_NAME - ");
|
||||
|
|
|
@ -28,7 +28,7 @@
|
|||
/*******************************************************************************
|
||||
* This file had been created by nas-message.py script v0.1.0
|
||||
* Please do not modify this file but regenerate it via script.
|
||||
* Created on: 2021-10-13 22:56:00.068858 by acetcom
|
||||
* Created on: 2021-11-15 15:24:45.968168 by acetcom
|
||||
* from 24301-g40.docx
|
||||
******************************************************************************/
|
||||
|
||||
|
|
|
@ -28,7 +28,7 @@
|
|||
/*******************************************************************************
|
||||
* This file had been created by nas-message.py script v0.1.0
|
||||
* Please do not modify this file but regenerate it via script.
|
||||
* Created on: 2021-10-13 22:56:00.076081 by acetcom
|
||||
* Created on: 2021-11-15 15:24:45.975004 by acetcom
|
||||
* from 24301-g40.docx
|
||||
******************************************************************************/
|
||||
|
||||
|
|
|
@ -70,13 +70,13 @@ type_list["Short MAC"]["encode"] = \
|
|||
|
||||
type_list["Access point name"]["decode"] = \
|
||||
" {\n" \
|
||||
" char apn[OGS_MAX_APN_LEN];\n" \
|
||||
" char apn[OGS_MAX_APN_LEN+1];\n" \
|
||||
" access_point_name->length = ogs_fqdn_parse(apn, access_point_name->apn, ogs_min(access_point_name->length, OGS_MAX_APN_LEN+1));\n" \
|
||||
" if (access_point_name->length > 0) {\n" \
|
||||
" ogs_cpystrn(access_point_name->apn, apn, ogs_min(access_point_name->length, OGS_MAX_APN_LEN) + 1);\n" \
|
||||
" } else {\n" \
|
||||
" ogs_error(\"UE not APN setting\");\n" \
|
||||
" }\n" \
|
||||
" if (access_point_name->length > 0) {\n" \
|
||||
" ogs_cpystrn(access_point_name->apn, apn, ogs_min(access_point_name->length, OGS_MAX_APN_LEN)+1);\n" \
|
||||
" } else {\n" \
|
||||
" ogs_error(\"UE not APN setting\");\n" \
|
||||
" }\n" \
|
||||
" }\n\n"
|
||||
|
||||
type_list["Access point name"]["encode"] = \
|
||||
|
|
|
@ -237,7 +237,7 @@ ogs_pkbuf_t *ogs_pfcp_up_build_association_setup_response(uint8_t type,
|
|||
|
||||
static struct {
|
||||
ogs_pfcp_f_teid_t f_teid;
|
||||
char dnn[OGS_MAX_DNN_LEN];
|
||||
char dnn[OGS_MAX_DNN_LEN+1];
|
||||
char *sdf_filter[OGS_MAX_NUM_OF_FLOW_IN_PDR];
|
||||
} pdrbuf[OGS_MAX_NUM_OF_PDR];
|
||||
|
||||
|
|
|
@ -96,7 +96,7 @@ typedef struct ogs_pfcp_node_s {
|
|||
|
||||
uint16_t tac[OGS_MAX_NUM_OF_TAI];
|
||||
uint8_t num_of_tac;
|
||||
const char* dnn[OGS_MAX_DNN_LEN];
|
||||
const char* dnn[OGS_MAX_DNN_LEN+1];
|
||||
uint8_t num_of_dnn;
|
||||
uint32_t e_cell_id[OGS_MAX_NUM_OF_CELL_ID];
|
||||
uint8_t num_of_e_cell_id;
|
||||
|
@ -317,7 +317,7 @@ typedef struct ogs_pfcp_subnet_s {
|
|||
|
||||
ogs_ipsubnet_t sub; /* Subnet : 2001:230:cafe::0/48 */
|
||||
ogs_ipsubnet_t gw; /* Gateway : 2001:230:cafe::1 */
|
||||
char dnn[OGS_MAX_DNN_LEN]; /* DNN : "internet", "volte", .. */
|
||||
char dnn[OGS_MAX_DNN_LEN+1]; /* DNN : "internet", "volte", .. */
|
||||
|
||||
#define OGS_MAX_NUM_OF_SUBNET_RANGE 16
|
||||
struct {
|
||||
|
|
|
@ -417,7 +417,7 @@ ogs_pfcp_pdr_t *ogs_pfcp_handle_create_pdr(ogs_pfcp_sess_t *sess,
|
|||
}
|
||||
|
||||
if (message->pdi.network_instance.presence) {
|
||||
char dnn[OGS_MAX_DNN_LEN];
|
||||
char dnn[OGS_MAX_DNN_LEN+1];
|
||||
|
||||
ogs_assert(0 < ogs_fqdn_parse(dnn,
|
||||
message->pdi.network_instance.data,
|
||||
|
@ -665,7 +665,7 @@ ogs_pfcp_pdr_t *ogs_pfcp_handle_update_pdr(ogs_pfcp_sess_t *sess,
|
|||
}
|
||||
|
||||
if (message->pdi.network_instance.presence) {
|
||||
char dnn[OGS_MAX_DNN_LEN];
|
||||
char dnn[OGS_MAX_DNN_LEN+1];
|
||||
|
||||
ogs_assert(0 < ogs_fqdn_parse(dnn,
|
||||
message->pdi.network_instance.data,
|
||||
|
|
|
@ -175,7 +175,7 @@ int16_t ogs_pfcp_parse_user_plane_ip_resource_info(
|
|||
|
||||
ogs_assert(0 < ogs_fqdn_parse(
|
||||
info->network_instance, (char *)octet->data + size,
|
||||
ogs_min(len, OGS_MAX_APN_LEN+1)));
|
||||
ogs_min(len, OGS_MAX_APN_LEN)+1));
|
||||
size += len;
|
||||
}
|
||||
|
||||
|
|
|
@ -41,7 +41,7 @@ ogs_pkbuf_t *mme_s11_build_create_session_request(
|
|||
ogs_gtp_ue_timezone_t ue_timezone;
|
||||
struct timeval now;
|
||||
struct tm time_exp;
|
||||
char apn[OGS_MAX_APN_LEN];
|
||||
char apn[OGS_MAX_APN_LEN+1];
|
||||
|
||||
ogs_gtp_indication_t indication;
|
||||
|
||||
|
|
|
@ -127,7 +127,7 @@ void sgwc_s11_handle_create_session_request(
|
|||
ogs_gtp_f_teid_t *mme_s11_teid = NULL;
|
||||
ogs_gtp_uli_t uli;
|
||||
ogs_gtp_bearer_qos_t bearer_qos;
|
||||
char apn[OGS_MAX_APN_LEN];
|
||||
char apn[OGS_MAX_APN_LEN+1];
|
||||
|
||||
ogs_assert(s11_xact);
|
||||
ogs_assert(gtpbuf);
|
||||
|
|
|
@ -1019,7 +1019,7 @@ smf_sess_t *smf_sess_add_by_gtp_message(ogs_gtp_message_t *message)
|
|||
{
|
||||
smf_ue_t *smf_ue = NULL;
|
||||
smf_sess_t *sess = NULL;
|
||||
char apn[OGS_MAX_APN_LEN];
|
||||
char apn[OGS_MAX_APN_LEN+1];
|
||||
|
||||
ogs_gtp_create_session_request_t *req = &message->create_session_request;
|
||||
|
||||
|
|
|
@ -41,7 +41,7 @@ ogs_pkbuf_t *test_s2b_build_create_session_request(
|
|||
ogs_gtp_ambr_t ambr;
|
||||
ogs_gtp_bearer_qos_t bearer_qos;
|
||||
char bearer_qos_buf[GTP_BEARER_QOS_LEN];
|
||||
char apn[OGS_MAX_APN_LEN];
|
||||
char apn[OGS_MAX_APN_LEN+1];
|
||||
|
||||
ogs_gtp_indication_t indication;
|
||||
|
||||
|
|
Loading…
Reference in New Issue