fix the buffer overflow (CVE-2021-41794)

2021-11-15 15:49:58 +09:00 · 2021-11-15 15:49:58 +09:00 · bfa34be222
parent 0fb8279e36
commit bfa34be222
17 changed files with 35 additions and 35 deletions
--- a/lib/core/ogs-3gpp-types.h
+++ b/lib/core/ogs-3gpp-types.h
@ -555,7 +555,7 @@ int ogs_pco_build(unsigned char *data, int data_len, ogs_pco_t *pco);

 /* Flags(1) + TEID Range(1) + IPV4(4) + IPV6(16) + Source Interface(1) = 23 */
 #define OGS_MAX_USER_PLANE_IP_RESOURCE_INFO_LEN \
-    (23 + OGS_MAX_APN_LEN)
+    (23 + (OGS_MAX_APN_LEN+1))
 typedef struct ogs_user_plane_ip_resource_info_s {
    union {
        struct {
@ -580,7 +580,7 @@ ED6(uint8_t     spare:1;,
    uint8_t     teid_range;
    uint32_t    addr;
    uint8_t     addr6[OGS_IPV6_LEN];
-    char        network_instance[OGS_MAX_APN_LEN];
+    char        network_instance[OGS_MAX_APN_LEN+1];
    uint8_t     source_interface;
 } __attribute__ ((packed)) ogs_user_plane_ip_resource_info_t;

--- a/lib/nas/5gs/support/type-list.py
+++ b/lib/nas/5gs/support/type-list.py
@ -28,13 +28,13 @@ type_list["Header compression configuration"]["encode"] = \

 type_list["DNN"]["decode"] = \
 "    {\n" \
-"        char data_network_name[OGS_MAX_DNN_LEN];\n" \
+"        char data_network_name[OGS_MAX_DNN_LEN+1];\n" \
 "        dnn->length = ogs_fqdn_parse(data_network_name, dnn->value, ogs_min(dnn->length, OGS_MAX_DNN_LEN+1));\n" \
 "        if (dnn->length > 0) {\n" \
-"            ogs_cpystrn(dnn->value, data_network_name, ogs_min(dnn->length, OGS_MAX_DNN_LEN) + 1);\n" \
-"         } else {\n" \
-"             ogs_error(\"UE not APN setting\");\n" \
-"         }\n" \
+"            ogs_cpystrn(dnn->value, data_network_name, ogs_min(dnn->length, OGS_MAX_DNN_LEN)+1);\n" \
+"        } else {\n" \
+"            ogs_error(\"UE not APN setting\");\n" \
+"        }\n" \
 "    }\n\n"

 type_list["DNN"]["encode"] = \
--- a/lib/nas/5gs/types.h
+++ b/lib/nas/5gs/types.h
@ -40,7 +40,7 @@ typedef struct ogs_nas_5gs_guti_s {
 * O TLV 3-102 */
 typedef struct ogs_nas_dnn_s {
    uint8_t length;
-    char value[OGS_MAX_DNN_LEN];
+    char value[OGS_MAX_DNN_LEN+1];
 } ogs_nas_dnn_t;

 /* 9.11.2.2 EAP message
--- a/lib/nas/eps/decoder.c
+++ b/lib/nas/eps/decoder.c
@ -28,7 +28,7 @@
 /*******************************************************************************
 * This file had been created by nas-message.py script v0.1.0
 * Please do not modify this file but regenerate it via script.
- * Created on: 2021-10-13 22:56:00.082596 by acetcom
+ * Created on: 2021-11-15 15:24:45.981268 by acetcom
 * from 24301-g40.docx
 ******************************************************************************/

--- a/lib/nas/eps/encoder.c
+++ b/lib/nas/eps/encoder.c
@ -28,7 +28,7 @@
 /*******************************************************************************
 * This file had been created by nas-message.py script v0.1.0
 * Please do not modify this file but regenerate it via script.
- * Created on: 2021-10-13 22:56:00.091945 by acetcom
+ * Created on: 2021-11-15 15:24:45.990017 by acetcom
 * from 24301-g40.docx
 ******************************************************************************/

--- a/lib/nas/eps/ies.c
+++ b/lib/nas/eps/ies.c
@ -28,7 +28,7 @@
 /*******************************************************************************
 * This file had been created by nas-message.py script v0.1.0
 * Please do not modify this file but regenerate it via script.
- * Created on: 2021-10-13 22:56:00.070665 by acetcom
+ * Created on: 2021-11-15 15:24:45.969895 by acetcom
 * from 24301-g40.docx
 ******************************************************************************/

@ -3013,13 +3013,13 @@ int ogs_nas_eps_decode_access_point_name(ogs_nas_access_point_name_t *access_poi
    memcpy(access_point_name, pkbuf->data - size, size);

    {
-        char apn[OGS_MAX_APN_LEN];
+        char apn[OGS_MAX_APN_LEN+1];
        access_point_name->length = ogs_fqdn_parse(apn, access_point_name->apn, ogs_min(access_point_name->length, OGS_MAX_APN_LEN+1));
-         if (access_point_name->length > 0) {
-             ogs_cpystrn(access_point_name->apn, apn, ogs_min(access_point_name->length, OGS_MAX_APN_LEN) + 1);
-         } else {
-             ogs_error("UE not APN setting");
-         }
+        if (access_point_name->length > 0) {
+            ogs_cpystrn(access_point_name->apn, apn, ogs_min(access_point_name->length, OGS_MAX_APN_LEN)+1);
+        } else {
+            ogs_error("UE not APN setting");
+        }
    }

    ogs_trace("  ACCESS_POINT_NAME - ");
--- a/lib/nas/eps/ies.h
+++ b/lib/nas/eps/ies.h
@ -28,7 +28,7 @@
 /*******************************************************************************
 * This file had been created by nas-message.py script v0.1.0
 * Please do not modify this file but regenerate it via script.
- * Created on: 2021-10-13 22:56:00.068858 by acetcom
+ * Created on: 2021-11-15 15:24:45.968168 by acetcom
 * from 24301-g40.docx
 ******************************************************************************/

--- a/lib/nas/eps/message.h
+++ b/lib/nas/eps/message.h
@ -28,7 +28,7 @@
 /*******************************************************************************
 * This file had been created by nas-message.py script v0.1.0
 * Please do not modify this file but regenerate it via script.
- * Created on: 2021-10-13 22:56:00.076081 by acetcom
+ * Created on: 2021-11-15 15:24:45.975004 by acetcom
 * from 24301-g40.docx
 ******************************************************************************/

--- a/lib/nas/eps/support/type-list.py
+++ b/lib/nas/eps/support/type-list.py
@ -70,13 +70,13 @@ type_list["Short MAC"]["encode"] = \

 type_list["Access point name"]["decode"] = \
 "    {\n" \
-"        char apn[OGS_MAX_APN_LEN];\n" \
+"        char apn[OGS_MAX_APN_LEN+1];\n" \
 "        access_point_name->length = ogs_fqdn_parse(apn, access_point_name->apn, ogs_min(access_point_name->length, OGS_MAX_APN_LEN+1));\n" \
-"         if (access_point_name->length > 0) {\n" \
-"             ogs_cpystrn(access_point_name->apn, apn, ogs_min(access_point_name->length, OGS_MAX_APN_LEN) + 1);\n" \
-"         } else {\n" \
-"             ogs_error(\"UE not APN setting\");\n" \
-"         }\n" \
+"        if (access_point_name->length > 0) {\n" \
+"            ogs_cpystrn(access_point_name->apn, apn, ogs_min(access_point_name->length, OGS_MAX_APN_LEN)+1);\n" \
+"        } else {\n" \
+"            ogs_error(\"UE not APN setting\");\n" \
+"        }\n" \
 "    }\n\n"

 type_list["Access point name"]["encode"] = \
--- a/lib/pfcp/build.c
+++ b/lib/pfcp/build.c
@ -237,7 +237,7 @@ ogs_pkbuf_t *ogs_pfcp_up_build_association_setup_response(uint8_t type,

 static struct {
    ogs_pfcp_f_teid_t f_teid;
-    char dnn[OGS_MAX_DNN_LEN];
+    char dnn[OGS_MAX_DNN_LEN+1];
    char *sdf_filter[OGS_MAX_NUM_OF_FLOW_IN_PDR];
 } pdrbuf[OGS_MAX_NUM_OF_PDR];

--- a/lib/pfcp/context.h
+++ b/lib/pfcp/context.h
@ -96,7 +96,7 @@ typedef struct ogs_pfcp_node_s {

    uint16_t        tac[OGS_MAX_NUM_OF_TAI];
    uint8_t         num_of_tac;
-    const char*     dnn[OGS_MAX_DNN_LEN];
+    const char*     dnn[OGS_MAX_DNN_LEN+1];
    uint8_t         num_of_dnn;
    uint32_t        e_cell_id[OGS_MAX_NUM_OF_CELL_ID];
    uint8_t         num_of_e_cell_id;
@ -317,7 +317,7 @@ typedef struct ogs_pfcp_subnet_s {

    ogs_ipsubnet_t  sub;                    /* Subnet : 2001:230:cafe::0/48 */
    ogs_ipsubnet_t  gw;                     /* Gateway : 2001:230:cafe::1 */
-    char            dnn[OGS_MAX_DNN_LEN];   /* DNN : "internet", "volte", .. */
+    char            dnn[OGS_MAX_DNN_LEN+1]; /* DNN : "internet", "volte", .. */

 #define OGS_MAX_NUM_OF_SUBNET_RANGE 16
    struct {
--- a/lib/pfcp/handler.c
+++ b/lib/pfcp/handler.c
@ -417,7 +417,7 @@ ogs_pfcp_pdr_t *ogs_pfcp_handle_create_pdr(ogs_pfcp_sess_t *sess,
    }

    if (message->pdi.network_instance.presence) {
-        char dnn[OGS_MAX_DNN_LEN];
+        char dnn[OGS_MAX_DNN_LEN+1];

        ogs_assert(0 < ogs_fqdn_parse(dnn,
            message->pdi.network_instance.data,
@ -665,7 +665,7 @@ ogs_pfcp_pdr_t *ogs_pfcp_handle_update_pdr(ogs_pfcp_sess_t *sess,
        }

        if (message->pdi.network_instance.presence) {
-            char dnn[OGS_MAX_DNN_LEN];
+            char dnn[OGS_MAX_DNN_LEN+1];

            ogs_assert(0 < ogs_fqdn_parse(dnn,
                message->pdi.network_instance.data,
--- a/lib/pfcp/types.c
+++ b/lib/pfcp/types.c
@ -175,7 +175,7 @@ int16_t ogs_pfcp_parse_user_plane_ip_resource_info(

        ogs_assert(0 < ogs_fqdn_parse(
                    info->network_instance, (char *)octet->data + size,
-                    ogs_min(len, OGS_MAX_APN_LEN+1)));
+                    ogs_min(len, OGS_MAX_APN_LEN)+1));
        size += len;
    }

--- a/src/mme/mme-s11-build.c
+++ b/src/mme/mme-s11-build.c
@ -41,7 +41,7 @@ ogs_pkbuf_t *mme_s11_build_create_session_request(
    ogs_gtp_ue_timezone_t ue_timezone;
    struct timeval now;
    struct tm time_exp;
-    char apn[OGS_MAX_APN_LEN];
+    char apn[OGS_MAX_APN_LEN+1];
 	
    ogs_gtp_indication_t indication;

--- a/src/sgwc/s11-handler.c
+++ b/src/sgwc/s11-handler.c
@ -127,7 +127,7 @@ void sgwc_s11_handle_create_session_request(
    ogs_gtp_f_teid_t *mme_s11_teid = NULL;
    ogs_gtp_uli_t uli;
    ogs_gtp_bearer_qos_t bearer_qos;
-    char apn[OGS_MAX_APN_LEN];
+    char apn[OGS_MAX_APN_LEN+1];

    ogs_assert(s11_xact);
    ogs_assert(gtpbuf);
--- a/src/smf/context.c
+++ b/src/smf/context.c
@ -1019,7 +1019,7 @@ smf_sess_t *smf_sess_add_by_gtp_message(ogs_gtp_message_t *message)
 {
    smf_ue_t *smf_ue = NULL;
    smf_sess_t *sess = NULL;
-    char apn[OGS_MAX_APN_LEN];
+    char apn[OGS_MAX_APN_LEN+1];

    ogs_gtp_create_session_request_t *req = &message->create_session_request;

--- a/tests/non3gpp/s2b-build.c
+++ b/tests/non3gpp/s2b-build.c
@ -41,7 +41,7 @@ ogs_pkbuf_t *test_s2b_build_create_session_request(
    ogs_gtp_ambr_t ambr;
    ogs_gtp_bearer_qos_t bearer_qos;
    char bearer_qos_buf[GTP_BEARER_QOS_LEN];
-    char apn[OGS_MAX_APN_LEN];
+    char apn[OGS_MAX_APN_LEN+1];

    ogs_gtp_indication_t indication;