forked from acouzens/open5gs
Fix the possible vulnerabilities
This commit is contained in:
parent
f1a207fd9b
commit
830587a250
|
@ -737,8 +737,7 @@ void emm_state_security_mode(ogs_fsm_t *s, mme_event_t *e)
|
|||
/* Now, We will check the MAC in the NAS message*/
|
||||
h.type = e->nas_type;
|
||||
if (h.integrity_protected == 0) {
|
||||
ogs_error("Security-mode : No Integrity Protected in IMSI[%s]",
|
||||
mme_ue->imsi_bcd);
|
||||
ogs_error("[%s] No Integrity Protected", mme_ue->imsi_bcd);
|
||||
|
||||
nas_eps_send_attach_reject(mme_ue,
|
||||
EMM_CAUSE_SECURITY_MODE_REJECTED_UNSPECIFIED,
|
||||
|
@ -748,7 +747,7 @@ void emm_state_security_mode(ogs_fsm_t *s, mme_event_t *e)
|
|||
}
|
||||
|
||||
if (!SECURITY_CONTEXT_IS_VALID(mme_ue)) {
|
||||
ogs_warn("No Security Context : IMSI[%s]", mme_ue->imsi_bcd);
|
||||
ogs_warn("[%s] No Security Context", mme_ue->imsi_bcd);
|
||||
nas_eps_send_attach_reject(mme_ue,
|
||||
EMM_CAUSE_SECURITY_MODE_REJECTED_UNSPECIFIED,
|
||||
ESM_CAUSE_PROTOCOL_ERROR_UNSPECIFIED);
|
||||
|
@ -864,6 +863,7 @@ void emm_state_initial_context_setup(ogs_fsm_t *s, mme_event_t *e)
|
|||
int rv;
|
||||
mme_ue_t *mme_ue = NULL;
|
||||
ogs_nas_eps_message_t *message = NULL;
|
||||
ogs_nas_security_header_type_t h;
|
||||
|
||||
ogs_assert(s);
|
||||
ogs_assert(e);
|
||||
|
@ -887,6 +887,26 @@ void emm_state_initial_context_setup(ogs_fsm_t *s, mme_event_t *e)
|
|||
ogs_debug("Attach complete");
|
||||
ogs_debug(" IMSI[%s]", mme_ue->imsi_bcd);
|
||||
|
||||
h.type = e->nas_type;
|
||||
if (h.integrity_protected == 0) {
|
||||
ogs_error("[%s] No Integrity Protected", mme_ue->imsi_bcd);
|
||||
|
||||
nas_eps_send_attach_reject(mme_ue,
|
||||
EMM_CAUSE_SECURITY_MODE_REJECTED_UNSPECIFIED,
|
||||
ESM_CAUSE_PROTOCOL_ERROR_UNSPECIFIED);
|
||||
OGS_FSM_TRAN(s, &emm_state_exception);
|
||||
break;
|
||||
}
|
||||
|
||||
if (!SECURITY_CONTEXT_IS_VALID(mme_ue)) {
|
||||
ogs_warn("[%s] No Security Context", mme_ue->imsi_bcd);
|
||||
nas_eps_send_attach_reject(mme_ue,
|
||||
EMM_CAUSE_SECURITY_MODE_REJECTED_UNSPECIFIED,
|
||||
ESM_CAUSE_PROTOCOL_ERROR_UNSPECIFIED);
|
||||
OGS_FSM_TRAN(s, &emm_state_exception);
|
||||
break;
|
||||
}
|
||||
|
||||
rv = emm_handle_attach_complete(
|
||||
mme_ue, &message->emm.attach_complete);
|
||||
if (rv != OGS_OK) {
|
||||
|
|
|
@ -25,6 +25,7 @@
|
|||
#include "esm-build.h"
|
||||
#include "esm-handler.h"
|
||||
#include "mme-s11-handler.h"
|
||||
#include "s1ap-path.h"
|
||||
#include "nas-path.h"
|
||||
#include "mme-gtp-path.h"
|
||||
|
||||
|
@ -54,6 +55,7 @@ void esm_state_inactive(ogs_fsm_t *s, mme_event_t *e)
|
|||
mme_sess_t *sess = NULL;
|
||||
mme_bearer_t *bearer = NULL;
|
||||
ogs_nas_eps_message_t *message = NULL;
|
||||
ogs_nas_security_header_type_t h;
|
||||
|
||||
ogs_assert(s);
|
||||
ogs_assert(e);
|
||||
|
@ -90,8 +92,8 @@ void esm_state_inactive(ogs_fsm_t *s, mme_event_t *e)
|
|||
}
|
||||
break;
|
||||
case OGS_NAS_EPS_PDN_DISCONNECT_REQUEST:
|
||||
ogs_fatal("PDN disconnect request");
|
||||
ogs_fatal(" IMSI[%s] PTI[%d] EBI[%d]",
|
||||
ogs_debug("PDN disconnect request");
|
||||
ogs_debug(" IMSI[%s] PTI[%d] EBI[%d]",
|
||||
mme_ue->imsi_bcd, sess->pti, bearer->ebi);
|
||||
if (MME_HAVE_SGW_S1U_PATH(sess)) {
|
||||
mme_gtp_send_delete_session_request(sess,
|
||||
|
@ -107,6 +109,34 @@ void esm_state_inactive(ogs_fsm_t *s, mme_event_t *e)
|
|||
mme_ue->imsi_bcd, sess->pti, bearer->ebi);
|
||||
|
||||
CLEAR_BEARER_TIMER(bearer->t3489);
|
||||
|
||||
h.type = e->nas_type;
|
||||
if (h.integrity_protected == 0) {
|
||||
ogs_error("[%s] No Integrity Protected", mme_ue->imsi_bcd);
|
||||
nas_eps_send_attach_reject(mme_ue,
|
||||
EMM_CAUSE_SECURITY_MODE_REJECTED_UNSPECIFIED,
|
||||
ESM_CAUSE_PROTOCOL_ERROR_UNSPECIFIED);
|
||||
ogs_assert(mme_ue->enb_ue);
|
||||
s1ap_send_ue_context_release_command(mme_ue->enb_ue,
|
||||
S1AP_Cause_PR_nas, S1AP_CauseNas_normal_release,
|
||||
S1AP_UE_CTX_REL_UE_CONTEXT_REMOVE, 0);
|
||||
OGS_FSM_TRAN(s, &esm_state_exception);
|
||||
break;
|
||||
}
|
||||
|
||||
if (!SECURITY_CONTEXT_IS_VALID(mme_ue)) {
|
||||
ogs_warn("[%s] No Security Context", mme_ue->imsi_bcd);
|
||||
nas_eps_send_attach_reject(mme_ue,
|
||||
EMM_CAUSE_SECURITY_MODE_REJECTED_UNSPECIFIED,
|
||||
ESM_CAUSE_PROTOCOL_ERROR_UNSPECIFIED);
|
||||
ogs_assert(mme_ue->enb_ue);
|
||||
s1ap_send_ue_context_release_command(mme_ue->enb_ue,
|
||||
S1AP_Cause_PR_nas, S1AP_CauseNas_normal_release,
|
||||
S1AP_UE_CTX_REL_UE_CONTEXT_REMOVE, 0);
|
||||
OGS_FSM_TRAN(s, &esm_state_exception);
|
||||
break;
|
||||
}
|
||||
|
||||
rv = esm_handle_information_response(
|
||||
sess, &message->esm.esm_information_response);
|
||||
if (rv != OGS_OK) {
|
||||
|
|
|
@ -56,7 +56,7 @@ int nas_eps_send_emm_to_esm(mme_ue_t *mme_ue,
|
|||
ogs_pkbuf_put_data(esmbuf,
|
||||
esm_message_container->buffer, esm_message_container->length);
|
||||
|
||||
rv = s1ap_send_to_esm(mme_ue, esmbuf);
|
||||
rv = s1ap_send_to_esm(mme_ue, esmbuf, 0);
|
||||
if (rv != OGS_OK) {
|
||||
ogs_error("s1ap_send_to_esm() failed");
|
||||
}
|
||||
|
|
|
@ -123,7 +123,7 @@ int s1ap_delayed_send_to_enb_ue(
|
|||
}
|
||||
}
|
||||
|
||||
int s1ap_send_to_esm(mme_ue_t *mme_ue, ogs_pkbuf_t *esmbuf)
|
||||
int s1ap_send_to_esm(mme_ue_t *mme_ue, ogs_pkbuf_t *esmbuf, uint8_t nas_type)
|
||||
{
|
||||
int rv;
|
||||
mme_event_t *e = NULL;
|
||||
|
@ -135,6 +135,7 @@ int s1ap_send_to_esm(mme_ue_t *mme_ue, ogs_pkbuf_t *esmbuf)
|
|||
ogs_assert(e);
|
||||
e->mme_ue = mme_ue;
|
||||
e->pkbuf = esmbuf;
|
||||
e->nas_type = nas_type;
|
||||
rv = ogs_queue_push(ogs_app()->queue, e);
|
||||
if (rv != OGS_OK) {
|
||||
ogs_warn("ogs_queue_push() failed:%d", (int)rv);
|
||||
|
@ -233,7 +234,7 @@ int s1ap_send_to_nas(enb_ue_t *enb_ue,
|
|||
ogs_error("No UE Context");
|
||||
return OGS_ERROR;
|
||||
}
|
||||
return s1ap_send_to_esm(mme_ue, nasbuf);
|
||||
return s1ap_send_to_esm(mme_ue, nasbuf, security_header_type.type);
|
||||
} else {
|
||||
ogs_error("Unknown/Unimplemented NAS Protocol discriminator 0x%02x",
|
||||
h->protocol_discriminator);
|
||||
|
|
|
@ -46,7 +46,7 @@ int s1ap_delayed_send_to_enb_ue(enb_ue_t *enb_ue,
|
|||
ogs_pkbuf_t *pkbuf, ogs_time_t duration);
|
||||
int s1ap_send_to_nas(enb_ue_t *enb_ue,
|
||||
S1AP_ProcedureCode_t procedureCode, S1AP_NAS_PDU_t *nasPdu);
|
||||
int s1ap_send_to_esm(mme_ue_t *mme_ue, ogs_pkbuf_t *esmbuf);
|
||||
int s1ap_send_to_esm(mme_ue_t *mme_ue, ogs_pkbuf_t *esmbuf, uint8_t nas_type);
|
||||
|
||||
void s1ap_send_s1_setup_response(mme_enb_t *enb);
|
||||
void s1ap_send_s1_setup_failure(
|
||||
|
|
Loading…
Reference in New Issue