VLR evil twin: just discard previous entries (DoS!)neels/vlr_evil_twin1

Change-Id: If80a755fe0d8686a83c772869e621dbd6d08d7cd
author: Neels Hofmeyr <neels@hofmeyr.de> 2020-08-19 12:38:12 +0000
committer: Neels Hofmeyr <neels@hofmeyr.de> 2020-09-01 21:00:17 +0000
commit: 48076e9f0ec39d1fee92d6c1060f4f9b7b60fd0a (patch)
tree: bfc74ed2313ee36e783acc57713651aca81cda15
parent: cbbcf5a1a98c39f4dc990f5e33929a769209df38 (diff)
1 files changed, 14 insertions, 0 deletions
diff --git a/src/libmsc/gsm_04_08.c b/src/libmsc/gsm_04_08.c
index 6bd82d0e1..a499fe51a 100644
--- a/src/libmsc/gsm_04_08.c
+++ b/src/libmsc/gsm_04_08.c
@@ -225,6 +225,20 @@ static int mm_rx_id_resp(struct msc_a *msc_a, struct msgb *msg)
 
 	osmo_signal_dispatch(SS_SUBSCR, S_SUBSCR_IDENTITY, gh->data);
 
+	/* It is possible that this ID Response reveals an IMSI that is already attached in the VLR. If so, we must
+	 * avoid creating two vlr_subscr entries with the same IMSI. */
+	if (mi.type == GSM_MI_TYPE_IMSI) {
+		struct vlr_subscr *vsub_exists = vlr_subscr_find_by_imsi(vsub->vlr, mi.imsi, __func__);
+		if (vsub_exists) {
+			/* Since the new vlr_subscr already has e.g. a lu_fsm associated with it, it is easiest to
+			 * discard the previous entry.
+			 * FIXME: an unauthenticated subscriber can thus discard arbitrary IMSIs from the VLR! */
+			LOGP(DMM, LOGL_ERROR, "MM Identity Response contains IMSI that is already attached in the VLR,"
+			     " discarding previous VLR entry: %s\n", vlr_subscr_name(vsub_exists));
+			vlr_subscr_free(vsub_exists);
+		}
+	}
+
 	return vlr_subscr_rx_id_resp(vsub, &mi);
 }
author	Neels Hofmeyr <neels@hofmeyr.de>	2020-08-19 12:38:12 +0000
committer	Neels Hofmeyr <neels@hofmeyr.de>	2020-09-01 21:00:17 +0000
commit	48076e9f0ec39d1fee92d6c1060f4f9b7b60fd0a (patch)
tree	bfc74ed2313ee36e783acc57713651aca81cda15
parent	cbbcf5a1a98c39f4dc990f5e33929a769209df38 (diff)