sysmocom
/
open5gs
forked from acouzens/open5gs
11
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fix the possible vulnerabilities

This commit is contained in:
Sukchan Lee 2020-11-07 21:25:53 -05:00
parent f1a207fd9b
commit 830587a250
5 changed files with 60 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
src/mme/emm-sm.c
View File

@ -737,8 +737,7 @@ void emm_state_security_mode(ogs_fsm_t *s, mme_event_t *e)
/* Now, We will check the MAC in the NAS message*/
h.type = e->nas_type;
if (h.integrity_protected == 0) {
ogs_error("Security-mode : No Integrity Protected in IMSI[%s]",
mme_ue->imsi_bcd);
ogs_error("[%s] No Integrity Protected", mme_ue->imsi_bcd);
nas_eps_send_attach_reject(mme_ue,
EMM_CAUSE_SECURITY_MODE_REJECTED_UNSPECIFIED,
@ -748,7 +747,7 @@ void emm_state_security_mode(ogs_fsm_t *s, mme_event_t *e)
}
if (!SECURITY_CONTEXT_IS_VALID(mme_ue)) {
ogs_warn("No Security Context : IMSI[%s]", mme_ue->imsi_bcd);
ogs_warn("[%s] No Security Context", mme_ue->imsi_bcd);
nas_eps_send_attach_reject(mme_ue,
EMM_CAUSE_SECURITY_MODE_REJECTED_UNSPECIFIED,
ESM_CAUSE_PROTOCOL_ERROR_UNSPECIFIED);
@ -864,6 +863,7 @@ void emm_state_initial_context_setup(ogs_fsm_t *s, mme_event_t *e)
int rv;
mme_ue_t *mme_ue = NULL;
ogs_nas_eps_message_t *message = NULL;
ogs_nas_security_header_type_t h;
ogs_assert(s);
ogs_assert(e);
@ -887,6 +887,26 @@ void emm_state_initial_context_setup(ogs_fsm_t *s, mme_event_t *e)
ogs_debug("Attach complete");
ogs_debug(" IMSI[%s]", mme_ue->imsi_bcd);
h.type = e->nas_type;
if (h.integrity_protected == 0) {
ogs_error("[%s] No Integrity Protected", mme_ue->imsi_bcd);
nas_eps_send_attach_reject(mme_ue,
EMM_CAUSE_SECURITY_MODE_REJECTED_UNSPECIFIED,
ESM_CAUSE_PROTOCOL_ERROR_UNSPECIFIED);
OGS_FSM_TRAN(s, &emm_state_exception);
break;
}
if (!SECURITY_CONTEXT_IS_VALID(mme_ue)) {
ogs_warn("[%s] No Security Context", mme_ue->imsi_bcd);
nas_eps_send_attach_reject(mme_ue,
EMM_CAUSE_SECURITY_MODE_REJECTED_UNSPECIFIED,
ESM_CAUSE_PROTOCOL_ERROR_UNSPECIFIED);
OGS_FSM_TRAN(s, &emm_state_exception);
break;
}
rv = emm_handle_attach_complete(
mme_ue, &message->emm.attach_complete);
if (rv != OGS_OK) {

34
src/mme/esm-sm.c
View File

@ -25,6 +25,7 @@
#include "esm-build.h"
#include "esm-handler.h"
#include "mme-s11-handler.h"
#include "s1ap-path.h"
#include "nas-path.h"
#include "mme-gtp-path.h"
@ -54,6 +55,7 @@ void esm_state_inactive(ogs_fsm_t *s, mme_event_t *e)
mme_sess_t *sess = NULL;
mme_bearer_t *bearer = NULL;
ogs_nas_eps_message_t *message = NULL;
ogs_nas_security_header_type_t h;
ogs_assert(s);
ogs_assert(e);
@ -90,8 +92,8 @@ void esm_state_inactive(ogs_fsm_t *s, mme_event_t *e)
}
break;
case OGS_NAS_EPS_PDN_DISCONNECT_REQUEST:
ogs_fatal("PDN disconnect request");
ogs_fatal(" IMSI[%s] PTI[%d] EBI[%d]",
ogs_debug("PDN disconnect request");
ogs_debug(" IMSI[%s] PTI[%d] EBI[%d]",
mme_ue->imsi_bcd, sess->pti, bearer->ebi);
if (MME_HAVE_SGW_S1U_PATH(sess)) {
mme_gtp_send_delete_session_request(sess,
@ -107,6 +109,34 @@ void esm_state_inactive(ogs_fsm_t *s, mme_event_t *e)
mme_ue->imsi_bcd, sess->pti, bearer->ebi);
CLEAR_BEARER_TIMER(bearer->t3489);
h.type = e->nas_type;
if (h.integrity_protected == 0) {
ogs_error("[%s] No Integrity Protected", mme_ue->imsi_bcd);
nas_eps_send_attach_reject(mme_ue,
EMM_CAUSE_SECURITY_MODE_REJECTED_UNSPECIFIED,
ESM_CAUSE_PROTOCOL_ERROR_UNSPECIFIED);
ogs_assert(mme_ue->enb_ue);
s1ap_send_ue_context_release_command(mme_ue->enb_ue,
S1AP_Cause_PR_nas, S1AP_CauseNas_normal_release,
S1AP_UE_CTX_REL_UE_CONTEXT_REMOVE, 0);
OGS_FSM_TRAN(s, &esm_state_exception);
break;
}
if (!SECURITY_CONTEXT_IS_VALID(mme_ue)) {
ogs_warn("[%s] No Security Context", mme_ue->imsi_bcd);
nas_eps_send_attach_reject(mme_ue,
EMM_CAUSE_SECURITY_MODE_REJECTED_UNSPECIFIED,
ESM_CAUSE_PROTOCOL_ERROR_UNSPECIFIED);
ogs_assert(mme_ue->enb_ue);
s1ap_send_ue_context_release_command(mme_ue->enb_ue,
S1AP_Cause_PR_nas, S1AP_CauseNas_normal_release,
S1AP_UE_CTX_REL_UE_CONTEXT_REMOVE, 0);
OGS_FSM_TRAN(s, &esm_state_exception);
break;
}
rv = esm_handle_information_response(
sess, &message->esm.esm_information_response);
if (rv != OGS_OK) {

2
src/mme/nas-path.c
View File

@ -56,7 +56,7 @@ int nas_eps_send_emm_to_esm(mme_ue_t *mme_ue,
ogs_pkbuf_put_data(esmbuf,
esm_message_container->buffer, esm_message_container->length);
rv = s1ap_send_to_esm(mme_ue, esmbuf);
rv = s1ap_send_to_esm(mme_ue, esmbuf, 0);
if (rv != OGS_OK) {
ogs_error("s1ap_send_to_esm() failed");
}

5
src/mme/s1ap-path.c
View File

@ -123,7 +123,7 @@ int s1ap_delayed_send_to_enb_ue(
}
}
int s1ap_send_to_esm(mme_ue_t *mme_ue, ogs_pkbuf_t *esmbuf)
int s1ap_send_to_esm(mme_ue_t *mme_ue, ogs_pkbuf_t *esmbuf, uint8_t nas_type)
{
int rv;
mme_event_t *e = NULL;
@ -135,6 +135,7 @@ int s1ap_send_to_esm(mme_ue_t *mme_ue, ogs_pkbuf_t *esmbuf)
ogs_assert(e);
e->mme_ue = mme_ue;
e->pkbuf = esmbuf;
e->nas_type = nas_type;
rv = ogs_queue_push(ogs_app()->queue, e);
if (rv != OGS_OK) {
ogs_warn("ogs_queue_push() failed:%d", (int)rv);
@ -233,7 +234,7 @@ int s1ap_send_to_nas(enb_ue_t *enb_ue,
ogs_error("No UE Context");
return OGS_ERROR;
}
return s1ap_send_to_esm(mme_ue, nasbuf);
return s1ap_send_to_esm(mme_ue, nasbuf, security_header_type.type);
} else {
ogs_error("Unknown/Unimplemented NAS Protocol discriminator 0x%02x",
h->protocol_discriminator);

2
src/mme/s1ap-path.h
View File

@ -46,7 +46,7 @@ int s1ap_delayed_send_to_enb_ue(enb_ue_t *enb_ue,
ogs_pkbuf_t *pkbuf, ogs_time_t duration);
int s1ap_send_to_nas(enb_ue_t *enb_ue,
S1AP_ProcedureCode_t procedureCode, S1AP_NAS_PDU_t *nasPdu);
int s1ap_send_to_esm(mme_ue_t *mme_ue, ogs_pkbuf_t *esmbuf);
int s1ap_send_to_esm(mme_ue_t *mme_ue, ogs_pkbuf_t *esmbuf, uint8_t nas_type);
void s1ap_send_s1_setup_response(mme_enb_t *enb);
void s1ap_send_s1_setup_failure(