Change in ...osmo-hlr[master]: rx_check_imei_req(): fix IMEI bounds checking

Fri, 07 Jun 2019 05:18:02 -0700 

osmith has uploaded this change for review. ( 
https://gerrit.osmocom.org/c/osmo-hlr/+/14399


Change subject: rx_check_imei_req(): fix IMEI bounds checking
......................................................................

rx_check_imei_req(): fix IMEI bounds checking

IMEIs (without the checksum) always have 14 digits. Replace the previous
check (length <= 14) with a proper one (length == 14) and set the buffer
to the right size.

I have tested with new TTCN3 tests, that the length check is working
properly now.

Related: OS#2541
Change-Id: I060a8db98fb882e4815d1709a5d85bc0143a73a6
---
M src/hlr.c
1 file changed, 8 insertions(+), 7 deletions(-)



  git pull ssh://gerrit.osmocom.org:29418/osmo-hlr refs/changes/99/14399/1

diff --git a/src/hlr.c b/src/hlr.c
index 33d2828..32a584e 100644
--- a/src/hlr.c
+++ b/src/hlr.c
@@ -477,18 +477,19 @@
 {
        struct osmo_gsup_message gsup_reply = {0};
        struct msgb *msg_out;
-       char imei[GSM23003_IMEI_NUM_DIGITS+1] = {0};
+       char imei[GSM23003_IMEI_NUM_DIGITS_NO_CHK+1] = {0};

-       /* Encoded IMEI length check */
-       if (!gsup->imei_enc || gsup->imei_enc_len < 1 || gsup->imei_enc[0] >= 
sizeof(imei)) {
-               LOGP(DMAIN, LOGL_ERROR, "%s: wrong encoded IMEI length\n", 
gsup->imsi);
+       /* Decode IMEI (fails if IMEI is too long) */
+       if (gsm48_decode_bcd_number2(imei, sizeof(imei), gsup->imei_enc, 
gsup->imei_enc_len, 0) < 0) {
+               LOGP(DMAIN, LOGL_ERROR, "%s: failed to decode IMEI\n", 
gsup->imsi);
                gsup_send_err_reply(conn, gsup->imsi, gsup->message_type, 
GMM_CAUSE_INV_MAND_INFO);
                return -1;
        }

-       /* Decode IMEI */
-       if (gsm48_decode_bcd_number2(imei, sizeof(imei), gsup->imei_enc, 
gsup->imei_enc_len, 0) < 0) {
-               LOGP(DMAIN, LOGL_ERROR, "%s: failed to decode IMEI\n", 
gsup->imsi);
+       /* Check if IMEI is too short */
+       if (strlen(imei) != GSM23003_IMEI_NUM_DIGITS_NO_CHK) {
+               LOGP(DMAIN, LOGL_ERROR, "%s: wrong encoded IMEI length (IMEI: 
'%s', %lu, %i)\n", gsup->imsi, imei,
+                    strlen(imei), GSM23003_IMEI_NUM_DIGITS_NO_CHK);
                gsup_send_err_reply(conn, gsup->imsi, gsup->message_type, 
GMM_CAUSE_INV_MAND_INFO);
                return -1;
        }

--
To view, visit https://gerrit.osmocom.org/c/osmo-hlr/+/14399
To unsubscribe, or for help writing mail filters, visit 
https://gerrit.osmocom.org/settings

Gerrit-Project: osmo-hlr
Gerrit-Branch: master
Gerrit-Change-Id: I060a8db98fb882e4815d1709a5d85bc0143a73a6
Gerrit-Change-Number: 14399
Gerrit-PatchSet: 1
Gerrit-Owner: osmith <osm...@sysmocom.de>
Gerrit-MessageType: newchange

Reply via email to