From 5c726684b3ca38bd91982b0fbbeaab2c768f4bb5 Mon Sep 17 00:00:00 2001
From: Sukchan Lee <acetcom@gmail.com>
Date: Sat, 26 Aug 2023 16:28:42 +0900
Subject: [PATCH] [TLV] GTP parser crashg from FuzzingLabs

See below for details
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=61780#c1
---
 lib/gtp/v1/message.c           | 9 ++-------
 lib/gtp/v1/message.h           | 3 ++-
 lib/gtp/v1/support/gtp1-tlv.py | 7 ++++---
 lib/gtp/v2/message.c           | 5 +----
 lib/gtp/v2/message.h           | 2 +-
 lib/gtp/v2/support/gtp-tlv.py  | 7 ++++---
 6 files changed, 14 insertions(+), 19 deletions(-)

diff --git a/lib/gtp/v1/message.c b/lib/gtp/v1/message.c
index 1621de461..c55d751a8 100644
--- a/lib/gtp/v1/message.c
+++ b/lib/gtp/v1/message.c
@@ -1,6 +1,7 @@
 /*
  * Copyright (C) 2019 by Sukchan Lee <acetcom@gmail.com>
  * Copyright (C) 2022 by sysmocom - s.f.m.c. GmbH <info@sysmocom.de>
+ * Copyright (C) 2023 by Sukchan Lee <acetcom@gmail.com>
  *
  * This file is part of Open5GS.
  *
@@ -21,7 +22,7 @@
 /*******************************************************************************
  * This file had been created by gtp1-tlv.py script v0.1.0
  * Please do not modify this file but regenerate it via script.
- * Created on: 2023-03-05 12:29:34.542862 by acetcom
+ * Created on: 2023-08-26 16:26:00.627882 by acetcom
  * from 29060-h40.docx
  ******************************************************************************/
 
@@ -2313,9 +2314,6 @@ int ogs_gtp1_parse_msg(ogs_gtp1_message_t *gtp1_message, ogs_pkbuf_t *pkbuf)
 
     switch(gtp1_message->h.type) {
     case OGS_GTP1_ECHO_REQUEST_TYPE:
-        rv = ogs_tlv_parse_msg_desc(&gtp1_message->echo_request,
-                &ogs_gtp1_tlv_desc_echo_request, pkbuf, OGS_TLV_MODE_T1_L2);
-        break;
     case OGS_GTP1_ECHO_RESPONSE_TYPE:
         rv = ogs_tlv_parse_msg_desc(&gtp1_message->echo_response,
                 &ogs_gtp1_tlv_desc_echo_response, pkbuf, OGS_TLV_MODE_T1_L2);
@@ -2425,9 +2423,6 @@ int ogs_gtp1_parse_msg(ogs_gtp1_message_t *gtp1_message, ogs_pkbuf_t *pkbuf)
                 &ogs_gtp1_tlv_desc_forward_relocation_response, pkbuf, OGS_TLV_MODE_T1_L2);
         break;
     case OGS_GTP1_FORWARD_RELOCATION_COMPLETE_TYPE:
-        rv = ogs_tlv_parse_msg_desc(&gtp1_message->forward_relocation_complete,
-                &ogs_gtp1_tlv_desc_forward_relocation_complete, pkbuf, OGS_TLV_MODE_T1_L2);
-        break;
     case OGS_GTP1_RELOCATION_CANCEL_REQUEST_TYPE:
         rv = ogs_tlv_parse_msg_desc(&gtp1_message->relocation_cancel_request,
                 &ogs_gtp1_tlv_desc_relocation_cancel_request, pkbuf, OGS_TLV_MODE_T1_L2);
diff --git a/lib/gtp/v1/message.h b/lib/gtp/v1/message.h
index 81a0d2659..93962847e 100644
--- a/lib/gtp/v1/message.h
+++ b/lib/gtp/v1/message.h
@@ -1,6 +1,7 @@
 /*
  * Copyright (C) 2019 by Sukchan Lee <acetcom@gmail.com>
  * Copyright (C) 2022 by sysmocom - s.f.m.c. GmbH <info@sysmocom.de>
+ * Copyright (C) 2023 by Sukchan Lee <acetcom@gmail.com>
  *
  * This file is part of Open5GS.
  *
@@ -21,7 +22,7 @@
 /*******************************************************************************
  * This file had been created by gtp1-tlv.py script v0.1.0
  * Please do not modify this file but regenerate it via script.
- * Created on: 2023-03-05 12:29:34.536821 by acetcom
+ * Created on: 2023-08-26 16:26:00.621752 by acetcom
  * from 29060-h40.docx
  ******************************************************************************/
 
diff --git a/lib/gtp/v1/support/gtp1-tlv.py b/lib/gtp/v1/support/gtp1-tlv.py
index 6163af4d3..913aeb398 100644
--- a/lib/gtp/v1/support/gtp1-tlv.py
+++ b/lib/gtp/v1/support/gtp1-tlv.py
@@ -635,9 +635,10 @@ f.write("""int ogs_gtp1_parse_msg(ogs_gtp1_message_t *gtp1_message, ogs_pkbuf_t
 for (k, v) in sorted_msg_list:
     if "ies" in msg_list[k]:
         f.write("    case OGS_GTP1_%s_TYPE:\n" % v_upper(k))
-        f.write("        rv = ogs_tlv_parse_msg_desc(&gtp1_message->%s,\n" % v_lower(k))
-        f.write("                &ogs_gtp1_tlv_desc_%s, pkbuf, OGS_TLV_MODE_T1_L2);\n" % v_lower(k))
-        f.write("        break;\n")
+        if k != "Echo Request" and k != "Forward Relocation Complete":
+            f.write("        rv = ogs_tlv_parse_msg_desc(&gtp1_message->%s,\n" % v_lower(k))
+            f.write("                &ogs_gtp1_tlv_desc_%s, pkbuf, OGS_TLV_MODE_T1_L2);\n" % v_lower(k))
+            f.write("        break;\n")
 f.write("""    default:
         ogs_warn("Not implemented(type:%d)", gtp1_message->h.type);
         break;
diff --git a/lib/gtp/v2/message.c b/lib/gtp/v2/message.c
index 8fcfc10db..852caea1f 100644
--- a/lib/gtp/v2/message.c
+++ b/lib/gtp/v2/message.c
@@ -20,7 +20,7 @@
 /*******************************************************************************
  * This file had been created by gtp-tlv.py script v0.1.0
  * Please do not modify this file but regenerate it via script.
- * Created on: 2023-03-05 11:59:11.018342 by acetcom
+ * Created on: 2023-08-26 16:22:05.130327 by acetcom
  * from 29274-h70.docx
  ******************************************************************************/
 
@@ -2983,9 +2983,6 @@ int ogs_gtp2_parse_msg(ogs_gtp2_message_t *gtp2_message, ogs_pkbuf_t *pkbuf)
                 &ogs_gtp2_tlv_desc_create_indirect_data_forwarding_tunnel_response, pkbuf, OGS_TLV_MODE_T1_L2_I1);
         break;
     case OGS_GTP2_DELETE_INDIRECT_DATA_FORWARDING_TUNNEL_REQUEST_TYPE:
-        rv = ogs_tlv_parse_msg(&gtp2_message->delete_indirect_data_forwarding_tunnel_request,
-                &ogs_gtp2_tlv_desc_delete_indirect_data_forwarding_tunnel_request, pkbuf, OGS_TLV_MODE_T1_L2_I1);
-        break;
     case OGS_GTP2_DELETE_INDIRECT_DATA_FORWARDING_TUNNEL_RESPONSE_TYPE:
         rv = ogs_tlv_parse_msg(&gtp2_message->delete_indirect_data_forwarding_tunnel_response,
                 &ogs_gtp2_tlv_desc_delete_indirect_data_forwarding_tunnel_response, pkbuf, OGS_TLV_MODE_T1_L2_I1);
diff --git a/lib/gtp/v2/message.h b/lib/gtp/v2/message.h
index d7a5994d6..0ccdec9c6 100644
--- a/lib/gtp/v2/message.h
+++ b/lib/gtp/v2/message.h
@@ -20,7 +20,7 @@
 /*******************************************************************************
  * This file had been created by gtp-tlv.py script v0.1.0
  * Please do not modify this file but regenerate it via script.
- * Created on: 2023-03-05 11:59:11.013000 by acetcom
+ * Created on: 2023-08-26 16:22:05.124502 by acetcom
  * from 29274-h70.docx
  ******************************************************************************/
 
diff --git a/lib/gtp/v2/support/gtp-tlv.py b/lib/gtp/v2/support/gtp-tlv.py
index 631c9921a..61cc8a2c7 100644
--- a/lib/gtp/v2/support/gtp-tlv.py
+++ b/lib/gtp/v2/support/gtp-tlv.py
@@ -723,9 +723,10 @@ f.write("""int ogs_gtp2_parse_msg(ogs_gtp2_message_t *gtp2_message, ogs_pkbuf_t
 for (k, v) in sorted_msg_list:
     if "ies" in msg_list[k]:
         f.write("    case OGS_GTP2_%s_TYPE:\n" % v_upper(k))
-        f.write("        rv = ogs_tlv_parse_msg(&gtp2_message->%s,\n" % v_lower(k))
-        f.write("                &ogs_gtp2_tlv_desc_%s, pkbuf, OGS_TLV_MODE_T1_L2_I1);\n" % v_lower(k))
-        f.write("        break;\n")
+        if k != "Delete Indirect Data Forwarding Tunnel Request":
+            f.write("        rv = ogs_tlv_parse_msg(&gtp2_message->%s,\n" % v_lower(k))
+            f.write("                &ogs_gtp2_tlv_desc_%s, pkbuf, OGS_TLV_MODE_T1_L2_I1);\n" % v_lower(k))
+            f.write("        break;\n")
 f.write("""    default:
         ogs_warn("Not implemented(type:%d)", gtp2_message->h.type);
         break;