From e67556e96f135aff7ebb80ad3b8ae89973bbcdaa Mon Sep 17 00:00:00 2001
From: Harald Welte <laforge@gnumonks.org>
Date: Tue, 4 May 2010 10:59:23 +0200
Subject: [SECURITY] Fix GTPIE parsing DoS

This is taken from http://sourceforge.net/tracker/index.php?func=detail&aid=1811511&group_id=68956&atid=522957 and http://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg402969.html and addresses a DoS:

The problem lies in the parsing of information elements in GTP messages, which
is implemented in the gtpie_decaps function of gtp/gtpie.c file.

The implementation has a bug that does not check if there are too many
information elements in the message thus causing the software to loop
infinitely in the while-loop.

In addition, handling routine for the error situation had to be implemented
outside the while-loop.
---
 gtp/gtpie.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'gtp')

diff --git a/gtp/gtpie.c b/gtp/gtpie.c
index 55d3f32..a62d02c 100644
--- a/gtp/gtpie.c
+++ b/gtp/gtpie.c
@@ -188,7 +188,7 @@ int gtpie_decaps(union gtpie_member* ie[], int version, void *pack, unsigned len
 
   memset(ie, 0, 4 * GTPIE_SIZE);
 
-  while (p<end) {
+  while ((p<end) && (j<GTPIE_SIZE)) {
     if (GTPIE_DEBUG) {
       printf("The packet looks like this:\n");
       for( i=0; i<(end-p); i++) {
@@ -346,6 +346,10 @@ int gtpie_decaps(union gtpie_member* ie[], int version, void *pack, unsigned len
 			    (unsigned long) p, (unsigned long) end);
     return 0; /* We landed at the end of the packet: OK */
   }
+  else if (!(j<GTPIE_SIZE)) {
+    if (GTPIE_DEBUG) printf("GTPIE too many elements.\n");
+    return EOF; /* We received too many information elements */
+  }
   else {
     if (GTPIE_DEBUG) printf("GTPIE exceeded end of packet. %lx %lx\n",
 			    (unsigned long) p, (unsigned long) end);
-- 
cgit v1.2.3