Review at  https://gerrit.osmocom.org/6448

libmsc: bssap: Catch TLV parse failures

Change-Id: I6aef9a94fa5b2e0b62a9c1744b8e18e5985f788f
---
M src/libmsc/a_iface_bssap.c
1 file changed, 49 insertions(+), 9 deletions(-)


  git pull ssh://gerrit.osmocom.org:29418/osmo-msc refs/changes/48/6448/1

diff --git a/src/libmsc/a_iface_bssap.c b/src/libmsc/a_iface_bssap.c
index 0946a5d..e0cbf03 100644
--- a/src/libmsc/a_iface_bssap.c
+++ b/src/libmsc/a_iface_bssap.c
@@ -224,6 +224,10 @@
        LOGPCONN(conn, LOGL_INFO, "Rx BSSMAP CLEAR REQUEST\n");
 
        tlv_parse(&tp, gsm0808_att_tlvdef(), msg->l3h + 1, msgb_l3len(msg) - 1, 
0, 0);
+       if (rc < 0) {
+               LOGP(DBSSAP, LOGL_ERROR, "Failed parsing TLV -- discarding 
message!\n");
+               return -EINVAL;
+       }
        if (!TLVP_PRESENT(&tp, GSM0808_IE_CAUSE)) {
                LOGP(DBSSAP, LOGL_ERROR, "Cause code is missing -- discarding 
message!\n");
                return -EINVAL;
@@ -276,7 +280,11 @@
 
        LOGP(DBSSAP, LOGL_INFO, "Rx BSSMAP COMPLETE L3 INFO (conn_id=%i)\n", 
a_conn_info->conn_id);
 
-       tlv_parse(&tp, gsm0808_att_tlvdef(), msg->l3h + 1, msgb_l3len(msg) - 1, 
0, 0);
+       rc = tlv_parse(&tp, gsm0808_att_tlvdef(), msg->l3h + 1, msgb_l3len(msg) 
- 1, 0, 0);
+       if (rc < 0) {
+               LOGP(DBSSAP, LOGL_ERROR, "Failed parsing TLV -- discarding 
message!\n");
+               return -EINVAL;
+       }
        if (!TLVP_PRESENT(&tp, GSM0808_IE_CELL_IDENTIFIER)) {
                LOGP(DBSSAP, LOGL_ERROR, "Mandatory CELL IDENTIFIER not present 
-- discarding message!\n");
                return -EINVAL;
@@ -339,10 +347,15 @@
        const uint8_t *cm3 = NULL;
        uint8_t cm2_len = 0;
        uint8_t cm3_len = 0;
+       int rc;
 
        LOGPCONN(conn, LOGL_DEBUG, "Rx BSSMAP CLASSMARK UPDATE\n");
 
-       tlv_parse(&tp, gsm0808_att_tlvdef(), msg->l3h + 1, msgb_l3len(msg) - 1, 
0, 0);
+       rc = tlv_parse(&tp, gsm0808_att_tlvdef(), msg->l3h + 1, msgb_l3len(msg) 
- 1, 0, 0);
+       if (rc < 0) {
+               LOGP(DBSSAP, LOGL_ERROR, "Failed parsing TLV -- discarding 
message!\n");
+               return -EINVAL;
+       }
        if (!TLVP_PRESENT(&tp, GSM0808_IE_CLASSMARK_INFORMATION_T2)) {
                LOGPCONN(conn, LOGL_ERROR, "Mandatory Classmark Information 
Type 2 not present -- discarding message!\n");
                return -EINVAL;
@@ -374,10 +387,15 @@
 
        struct tlv_parsed tp;
        uint8_t alg_id = 1;
+       int rc;
 
        LOGPCONN(conn, LOGL_DEBUG, "Rx BSSMAP CIPHER MODE COMPLETE\n");
 
-       tlv_parse(&tp, gsm0808_att_tlvdef(), msg->l3h + 1, msgb_l3len(msg) - 1, 
0, 0);
+       rc = tlv_parse(&tp, gsm0808_att_tlvdef(), msg->l3h + 1, msgb_l3len(msg) 
- 1, 0, 0);
+       if (rc < 0) {
+               LOGP(DBSSAP, LOGL_ERROR, "Failed parsing TLV -- discarding 
message!\n");
+               return -EINVAL;
+       }
 
        if (TLVP_PRESENT(&tp, GSM0808_IE_CHOSEN_ENCR_ALG)) {
                alg_id = TLVP_VAL(&tp, GSM0808_IE_CHOSEN_ENCR_ALG)[0] - 1;
@@ -401,10 +419,15 @@
 {
        struct tlv_parsed tp;
        uint8_t cause;
+       int rc;
 
        LOGPCONN(conn, LOGL_NOTICE, "RX BSSMAP CIPHER MODE REJECT\n");
 
-       tlv_parse(&tp, gsm0808_att_tlvdef(), msg->l3h + 1, msgb_l3len(msg) - 1, 
0, 0);
+       rc = tlv_parse(&tp, gsm0808_att_tlvdef(), msg->l3h + 1, msgb_l3len(msg) 
- 1, 0, 0);
+       if (rc < 0) {
+               LOGP(DBSSAP, LOGL_ERROR, "Failed parsing TLV -- discarding 
message!\n");
+               return -EINVAL;
+       }
        if (!TLVP_PRESENT(&tp, BSS_MAP_MSG_CIPHER_MODE_REJECT)) {
                LOGPCONN(conn, LOGL_ERROR, "Cause code is missing -- discarding 
message!\n");
                return -EINVAL;
@@ -426,10 +449,15 @@
        uint8_t cause;
        uint8_t *rr_cause_ptr = NULL;
        uint8_t rr_cause;
+       int rc;
 
        LOGPCONN(conn, LOGL_NOTICE, "Rx BSSMAP ASSIGNMENT FAILURE message\n");
 
-       tlv_parse(&tp, gsm0808_att_tlvdef(), msg->l3h + 1, msgb_l3len(msg) - 1, 
0, 0);
+       rc = tlv_parse(&tp, gsm0808_att_tlvdef(), msg->l3h + 1, msgb_l3len(msg) 
- 1, 0, 0);
+       if (rc < 0) {
+               LOGP(DBSSAP, LOGL_ERROR, "Failed parsing TLV -- discarding 
message!\n");
+               return -EINVAL;
+       }
        if (!TLVP_PRESENT(&tp, GSM0808_IE_CAUSE)) {
                LOGPCONN(conn, LOGL_ERROR, "Cause code is missing -- discarding 
message!\n");
                return -EINVAL;
@@ -458,19 +486,28 @@
 {
        struct tlv_parsed tp;
        uint8_t dlci;
+       int rc;
 
        LOGPCONN(conn, LOGL_NOTICE, "Rx BSSMAP SAPI-N-REJECT message\n");
 
        /* Note: The MSC code seems not to care about the cause code, but by
         * the specification it is mandatory, so we check its presence. See
         * also 3GPP TS 48.008 3.2.1.34 SAPI "n" REJECT */
-       tlv_parse(&tp, gsm0808_att_tlvdef(), msg->l3h + 1, msgb_l3len(msg) - 1, 
0, 0);
+       rc = tlv_parse(&tp, gsm0808_att_tlvdef(), msg->l3h + 1, msgb_l3len(msg) 
- 1, 0, 0);
+       if (rc < 0) {
+               LOGP(DBSSAP, LOGL_ERROR, "Failed parsing TLV -- discarding 
message!\n");
+               return -EINVAL;
+       }
        if (!TLVP_PRESENT(&tp, GSM0808_IE_CAUSE)) {
                LOGPCONN(conn, LOGL_ERROR, "Cause code is missing -- discarding 
message!\n");
                return -EINVAL;
        }
 
-       tlv_parse(&tp, gsm0808_att_tlvdef(), msg->l3h + 1, msgb_l3len(msg) - 1, 
0, 0);
+       rc = tlv_parse(&tp, gsm0808_att_tlvdef(), msg->l3h + 1, msgb_l3len(msg) 
- 1, 0, 0);
+       if (rc < 0) {
+               LOGP(DBSSAP, LOGL_ERROR, "Failed parsing TLV -- discarding 
message!\n");
+               return -EINVAL;
+       }
        if (!TLVP_PRESENT(&tp, GSM0808_IE_DLCI)) {
                LOGPCONN(conn, LOGL_ERROR, "DLCI is missing -- discarding 
message!\n");
                return -EINVAL;
@@ -497,8 +534,11 @@
 
        LOGPCONN(conn, LOGL_INFO, "Rx BSSMAP ASSIGNMENT COMPLETE message\n");
 
-       tlv_parse(&tp, gsm0808_att_tlvdef(), msg->l3h + 1, msgb_l3len(msg) - 1, 
0, 0);
-
+       rc = tlv_parse(&tp, gsm0808_att_tlvdef(), msg->l3h + 1, msgb_l3len(msg) 
- 1, 0, 0);
+       if (rc < 0) {
+               LOGP(DBSSAP, LOGL_ERROR, "Failed parsing TLV -- discarding 
message!\n");
+               return -EINVAL;
+       }
        if (!TLVP_PRESENT(&tp, GSM0808_IE_AOIP_TRASP_ADDR)) {
                LOGPCONN(conn, LOGL_ERROR, "AoIP transport identifier missing 
-- discarding message!\n");
                return -EINVAL;

-- 
To view, visit https://gerrit.osmocom.org/6448
To unsubscribe, visit https://gerrit.osmocom.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I6aef9a94fa5b2e0b62a9c1744b8e18e5985f788f
Gerrit-PatchSet: 1
Gerrit-Project: osmo-msc
Gerrit-Branch: master
Gerrit-Owner: Pau Espin Pedrol <pes...@sysmocom.de>

Reply via email to