From 4b2ed35b8f35b86ad19e9ff12485dba8adc26e50 Mon Sep 17 00:00:00 2001 From: Harald Welte Date: Wed, 27 Jul 2011 23:35:38 +0200 Subject: GPRS: Fix buffer overflow in case of very long MS RA CAP IE The MS Radio Access Capability IE can be _very_ long in some recent high-end mobile phones, way beyond the old 14-byte limit. We increase our array to 52 bytes, and make sure not to overflow that buffer. --- openbsc/src/gprs/gprs_gmm.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) (limited to 'openbsc/src/gprs') diff --git a/openbsc/src/gprs/gprs_gmm.c b/openbsc/src/gprs/gprs_gmm.c index 7eff33f5f..098e4c25b 100644 --- a/openbsc/src/gprs/gprs_gmm.c +++ b/openbsc/src/gprs/gprs_gmm.c @@ -675,8 +675,9 @@ static int gsm48_rx_gmm_att_req(struct sgsn_mm_ctx *ctx, struct msgb *msg, /* MS Radio Access Capability 10.5.5.12a */ ms_ra_acc_cap_len = *cur++; ms_ra_acc_cap = cur; - if (ms_ra_acc_cap_len > 51) + if (ms_ra_acc_cap_len > 52) goto err_inval; + cur += ms_ra_acc_cap_len; /* Optional: Old P-TMSI Signature, Requested READY timer, TMSI Status */ @@ -735,8 +736,10 @@ static int gsm48_rx_gmm_att_req(struct sgsn_mm_ctx *ctx, struct msgb *msg, ctx->cell_id = cid; /* Update MM Context with other data */ ctx->drx_parms = drx_par; - ctx->ms_radio_access_capa.len = ms_ra_acc_cap_len; - memcpy(ctx->ms_radio_access_capa.buf, ms_ra_acc_cap, ms_ra_acc_cap_len); + ctx->ms_radio_access_capa.len = OSMO_MIN(ms_ra_acc_cap_len, + sizeof((ctx->ms_radio_access_capa.buf))); + memcpy(ctx->ms_radio_access_capa.buf, ms_ra_acc_cap, + ctx->ms_radio_access_capa.len); ctx->ms_network_capa.len = msnc_len; memcpy(ctx->ms_network_capa.buf, msnc, msnc_len); @@ -910,6 +913,9 @@ static int gsm48_rx_gmm_ra_upd_req(struct sgsn_mm_ctx *mmctx, struct msgb *msg, /* MS Radio Access Capability 10.5.5.12a */ ms_ra_acc_cap_len = *cur++; ms_ra_acc_cap = cur; + if (ms_ra_acc_cap_len > 52) + return gsm48_tx_gmm_ra_upd_rej(msg, GMM_CAUSE_PROTO_ERR_UNSPEC); + cur += ms_ra_acc_cap_len; /* Optional: Old P-TMSI Signature, Requested READY timer, TMSI Status, * DRX parameter, MS network capability */ -- cgit v1.2.3