From aa746794e7505229cbcf93eb2b5b8fdbd7c06373 Mon Sep 17 00:00:00 2001
From: Sukchan Lee <acetcom@gmail.com>
Date: Fri, 15 Sep 2023 07:15:47 +0900
Subject: [PATCH] [GTPU] Fixed Stack-Buffer-Overflow in GTPU (#2609)

---
 lib/gtp/util.c     | 6 ++++++
 lib/gtp/v2/types.h | 4 ++++
 2 files changed, 10 insertions(+)

diff --git a/lib/gtp/util.c b/lib/gtp/util.c
index d0b723bec..3ec27d577 100644
--- a/lib/gtp/util.c
+++ b/lib/gtp/util.c
@@ -76,6 +76,12 @@ int ogs_gtpu_parse_header(
                 ogs_error("No length in the Extension header");
                 return -1;
             }
+
+            if (((*ext_h) * 4) > OGS_GTP2_MAX_EXTENSION_HEADER_LEN) {
+                ogs_error("Overflow length : %d", (*ext_h));
+                return -1;
+            }
+
             if (pkbuf->len < len) {
                 ogs_error("the length of the packet is insufficient[%d:%d]",
                         pkbuf->len, len);
diff --git a/lib/gtp/v2/types.h b/lib/gtp/v2/types.h
index 33b900a88..a1cc7d574 100644
--- a/lib/gtp/v2/types.h
+++ b/lib/gtp/v2/types.h
@@ -73,6 +73,10 @@ typedef struct ogs_gtp2_extension_header_s {
             uint16_t udp_port;
             uint16_t pdcp_number;
         };
+
+/* sizeof(extension_header.array[i]) */
+#define OGS_GTP2_MAX_EXTENSION_HEADER_LEN 4
+
 #define OGS_GTP2_NUM_OF_EXTENSION_HEADER 8
     } __attribute__ ((packed)) array[OGS_GTP2_NUM_OF_EXTENSION_HEADER];
 } __attribute__ ((packed)) ogs_gtp2_extension_header_t;