d1d3ec6fcb
1. Reachable assertion in ogs_nas_5gmm_decode
Location: lib/nas/5gs/decoder.c:4445
```c
int ogs_nas_5gmm_decode(ogs_nas_5gs_message_t *message, ogs_pkbuf_t *pkbuf)
{
int size = 0;
int decoded = 0;
ogs_assert(pkbuf);
ogs_assert(pkbuf->data);
ogs_assert(pkbuf->len);
```
When a NAS payload is received over `src/amf/context.c:1675`NGAP that has no data, the ogs_assert(pkbuf->len) assertion will be triggered.
2.Reachable assertion in ogs_nas_emm_decode
```
int ogs_nas_emm_decode(ogs_nas_eps_message_t *message, ogs_pkbuf_t *pkbuf)
{
int size = 0;
int decoded = 0;
ogs_assert(pkbuf);
ogs_assert(pkbuf->data);
ogs_assert(pkbuf->len);
```
Nearly identical to (1), but for LTE.
3. Reachable assertion in nas_eps_send_emm_to_esm
```
int nas_eps_send_emm_to_esm(mme_ue_t *mme_ue,
ogs_nas_esm_message_container_t *esm_message_container)
{
int rv;
ogs_pkbuf_t *esmbuf = NULL;
if (!mme_ue_cycle(mme_ue)) {
ogs_error("UE(mme-ue) context has already been removed");
return OGS_NOTFOUND;
}
ogs_assert(esm_message_container);
ogs_assert(esm_message_container->length);
```
The ESM message payload may be 0-length, as the length is determined by a field in the NAS payload (which can be chosen arbitrarily by an attacker). This leads to the length assertion above being triggered.
5. Reachable assertion and incorrect hash calculation in ogs_kdf_hash_mme
```
void ogs_kdf_hash_mme(const uint8_t *message, uint8_t message_len, uint8_t *hash_mme)
{
uint8_t key[32];
uint8_t output[OGS_SHA256_DIGEST_SIZE];
ogs_assert(message);
ogs_assert(message_len);
ogs_assert(hash_mme);
memset(key, 0, 32);
ogs_hmac_sha256(key, 32, message, message_len,
output, OGS_SHA256_DIGEST_SIZE);
memcpy(hash_mme, output+24, OGS_HASH_MME_LEN);
}
```
When handling NAS attach requests or TAU requests, the ogs_kdf_hash_mme function is passed the NAS payload. However, the length field is represented as an unsigned 8-bit integer, which the passed length of the packet may overflow. This leads to the passed value being truncated.
When the passed value is a multiple of 256, the above assertion (ogs_assert(message_len)) is triggered. Otherwise, the hash is computed on only the first n bits of the message (where n = actual_message_len % 256).
|
||
|---|---|---|
| .. | ||
| cache | ||
| 24501-h90.docx | ||
| README.md | ||
| nas-message.py | ||
| type-list.py | ||
README.md
-
Install python-docx user@host ~/Documents/git/open5gs/lib/nas/5gs/support$
sudo pip3 install python-docx -
Change the format of standard specification from 24301-d80.doc to 24301-d80.docx using Microsoft Office 2007+
-
Adjust table cell in 24301-h90.docx
-
Generate Message support files user@host ~/Documents/git/open5gs/lib/nas/5gs/support$
python3 nas-message.py -f 24501-h90.docx -o .. -
Check lib/nas/5gs/decoder.c $ diff --git a/lib/nas/5gs/decoder.c b/lib/nas/5gs/decoder.c index c03e529ec..f471f294b 100644 --- a/lib/nas/5gs/decoder.c +++ b/lib/nas/5gs/decoder.c @@ -968,7 +968,6 @@ int ogs_nas_5gs_decode_registration_accept(ogs_nas_5gs_message_t message, ogs_p registration_accept->presencemask |= OGS_NAS_5GS_REGISTRATION_ACCEPT_NEGOTIATED_PEIPS_ASSISTANCE_INFORMATION_PRESENT; decoded += size; break; -#if 0 / Modified by acetcom */ case OGS_NAS_5GS_REGISTRATION_ACCEPT_5GS_ADDITIONAL_REQUEST_RESULT_TYPE: size = ogs_nas_5gs_decode_5gs_additional_request_result(®istration_accept->additional_request_result, pkbuf); if (size < 0) { @@ -979,7 +978,6 @@ int ogs_nas_5gs_decode_registration_accept(ogs_nas_5gs_message_t *message, ogs_p registration_accept->presencemask |= OGS_NAS_5GS_REGISTRATION_ACCEPT_5GS_ADDITIONAL_REQUEST_RESULT_PRESENT; decoded += size; break; -#endif case OGS_NAS_5GS_REGISTRATION_ACCEPT_NSSRG_INFORMATION_TYPE: size = ogs_nas_5gs_decode_nssrg_information(®istration_accept->nssrg_information, pkbuf); if (size < 0) {
-
Add new structure to the types.h