From 1610626fe9e65693c6d8743129b10ed4958ec6ea Mon Sep 17 00:00:00 2001
From: Jacob Erlbeck <jerlbeck@sysmocom.de>
Date: Mon, 12 Jan 2015 13:54:39 +0100
Subject: gprs: Clear GSUP message structures before decoding

Currently the message structure is not cleared before the message is
parsed which can cause information leaking between messages if the
same gprs_gsup_message object is used. Especially list elements (auth
tuples and pdp info) are not replaced by an IE, but the IE is
appended.

This patch uses the assignment operator to clear gprs_gsup_message,
gsm_auth_tuple, and gprs_gsup_pdp_info before using them. This also
replaces the use of memcpy of the latter.

Sponsored-by: On-Waves ehf
---
 openbsc/src/gprs/gprs_gsup_messages.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

(limited to 'openbsc')

diff --git a/openbsc/src/gprs/gprs_gsup_messages.c b/openbsc/src/gprs/gprs_gsup_messages.c
index aa3d55e0b..f47ad5545 100644
--- a/openbsc/src/gprs/gprs_gsup_messages.c
+++ b/openbsc/src/gprs/gprs_gsup_messages.c
@@ -172,6 +172,9 @@ int gprs_gsup_decode(const uint8_t *const_data, size_t data_len,
 	size_t value_len;
 	static const struct gprs_gsup_pdp_info empty_pdp_info = {0};
 	static const struct gsm_auth_tuple empty_auth_info = {0};
+	static const struct gprs_gsup_message empty_gsup_message = {0};
+
+	*gsup_msg = empty_gsup_message;
 
 	/* generic part */
 	rc = gprs_shift_v_fixed(&data, &data_len, 1, &value);
@@ -198,9 +201,6 @@ int gprs_gsup_decode(const uint8_t *const_data, size_t data_len,
 	gsm48_decode_bcd_number(gsup_msg->imsi, sizeof(gsup_msg->imsi),
 				value - 1, 0);
 
-	gsup_msg->num_pdp_infos = 0;
-	gsup_msg->num_auth_tuples = 0;
-
 	/* specific parts */
 	while (data_len > 0) {
 		enum gprs_gsup_iei iei;
@@ -253,7 +253,7 @@ int gprs_gsup_decode(const uint8_t *const_data, size_t data_len,
 				return -GMM_CAUSE_COND_IE_ERR;
 			}
 
-			memcpy(&pdp_info, &empty_pdp_info, sizeof(pdp_info));
+			pdp_info = empty_pdp_info;
 
 			if (iei == GPRS_GSUP_PDP_INFO_IE) {
 				rc = decode_pdp_info(value, value_len, &pdp_info);
@@ -277,7 +277,7 @@ int gprs_gsup_decode(const uint8_t *const_data, size_t data_len,
 				return -GMM_CAUSE_INV_MAND_INFO;
 			}
 
-			memcpy(&auth_info, &empty_auth_info, sizeof(auth_info));
+			auth_info = empty_auth_info;
 			auth_info.key_seq = gsup_msg->num_auth_tuples;
 
 			rc = decode_auth_info(value, value_len, &auth_info);
-- 
cgit v1.2.3