sysmocom
/
open5gs
forked from acouzens/open5gs
11
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

[CORE] Add defense code to ogs_pkbuf_copy (#2032) 

Added a defense code to prevent NF crash when ogs_pkbuf_copy() size is 0.
This commit is contained in:
Sukchan Lee 2023-01-29 16:45:42 +09:00
parent b7386284a7
commit 131ecb4a44
2 changed files with 39 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
lib/core/ogs-pkbuf.c
View File

@ -317,11 +317,21 @@ ogs_pkbuf_t *ogs_pkbuf_copy_debug(ogs_pkbuf_t *pkbuf, const char *file_line)
{ {
#if OGS_USE_TALLOC #if OGS_USE_TALLOC
ogs_pkbuf_t *newbuf; ogs_pkbuf_t *newbuf;
#else
ogs_pkbuf_pool_t *pool = NULL;
ogs_pkbuf_t *newbuf = NULL;
#endif
int size = 0; int size = 0;
ogs_assert(pkbuf); ogs_assert(pkbuf);
size = pkbuf->end - pkbuf->head; size = pkbuf->end - pkbuf->head;
ogs_assert(size > 0); if (size <= 0) {
ogs_error("Invalid argument[size=%d, head=%p, end=%p] in (%s)",
size, pkbuf->head, pkbuf->end, file_line);
return NULL;
}
#if OGS_USE_TALLOC
newbuf = ogs_pkbuf_alloc_debug(NULL, size, file_line); newbuf = ogs_pkbuf_alloc_debug(NULL, size, file_line);
if (!newbuf) { if (!newbuf) {
ogs_error("ogs_pkbuf_alloc() failed [size=%d]", size); ogs_error("ogs_pkbuf_alloc() failed [size=%d]", size);
@ -339,10 +349,6 @@ ogs_pkbuf_t *ogs_pkbuf_copy_debug(ogs_pkbuf_t *pkbuf, const char *file_line)
return newbuf; return newbuf;
#else #else
ogs_pkbuf_pool_t *pool = NULL;
ogs_pkbuf_t *newbuf = NULL;
ogs_assert(pkbuf);
pool = pkbuf->pool; pool = pkbuf->pool;
ogs_assert(pool); ogs_assert(pool);
@ -350,7 +356,7 @@ ogs_pkbuf_t *ogs_pkbuf_copy_debug(ogs_pkbuf_t *pkbuf, const char *file_line)
ogs_pool_alloc(&pool->pkbuf, &newbuf); ogs_pool_alloc(&pool->pkbuf, &newbuf);
if (!newbuf) { if (!newbuf) {
ogs_error("ogs_pkbuf_copy() failed"); ogs_error("ogs_pkbuf_copy() failed [size=%d]", size);
ogs_thread_mutex_unlock(&pool->mutex); ogs_thread_mutex_unlock(&pool->mutex);
return NULL; return NULL;
} }

29
lib/sbi/message.c
View File

@ -2373,7 +2373,18 @@ static int parse_multipart(
http->part[http->num_of_part].pkbuf = http->part[http->num_of_part].pkbuf =
ogs_pkbuf_alloc(NULL, data.part[i].content_length); ogs_pkbuf_alloc(NULL, data.part[i].content_length);
if (!(http->part[http->num_of_part].pkbuf)) { if (!(http->part[http->num_of_part].pkbuf)) {
ogs_error("ogs_pkbuf_alloc() failed"); ogs_error("ogs_pkbuf_copy() failed");
if (data.part[i].content_id)
ogs_free(data.part[i].content_id);
if (data.part[i].content_type)
ogs_free(data.part[i].content_type);
if (data.part[i].content)
ogs_free(data.part[i].content);
if (data.header_field)
ogs_free(data.header_field);
return OGS_ERROR; return OGS_ERROR;
} }
ogs_pkbuf_put_data(http->part[http->num_of_part].pkbuf, ogs_pkbuf_put_data(http->part[http->num_of_part].pkbuf,
@ -2386,7 +2397,21 @@ static int parse_multipart(
message->part[message->num_of_part].pkbuf = message->part[message->num_of_part].pkbuf =
ogs_pkbuf_copy(http->part[http->num_of_part].pkbuf); ogs_pkbuf_copy(http->part[http->num_of_part].pkbuf);
if (!(message->part[http->num_of_part].pkbuf)) { if (!(message->part[http->num_of_part].pkbuf)) {
ogs_error("ogs_pkbuf_alloc() failed"); ogs_error("ogs_pkbuf_copy() failed");
if (data.part[i].content_id)
ogs_free(data.part[i].content_id);
if (data.part[i].content_type)
ogs_free(data.part[i].content_type);
if (data.part[i].content)
ogs_free(data.part[i].content);
if (data.header_field)
ogs_free(data.header_field);
if (http->part[http->num_of_part].pkbuf)
ogs_pkbuf_free(http->part[http->num_of_part].pkbuf);
return OGS_ERROR; return OGS_ERROR;
} }