diff options
Diffstat (limited to 'src/gb')
-rw-r--r-- | src/gb/gprs_bssgp.c | 58 | ||||
-rw-r--r-- | src/gb/gprs_bssgp_bss.c | 30 |
2 files changed, 45 insertions, 43 deletions
diff --git a/src/gb/gprs_bssgp.c b/src/gb/gprs_bssgp.c index 38794c28..2784d0a8 100644 --- a/src/gb/gprs_bssgp.c +++ b/src/gb/gprs_bssgp.c @@ -1170,19 +1170,20 @@ int bssgp_tx_dl_ud(struct msgb *msg, uint16_t pdu_lifetime, /* IMSI */ if (dup->imsi && strlen(dup->imsi)) { - uint8_t mi[GSM48_MID_MAX_SIZE]; -/* gsm48_generate_mid_from_imsi() is guaranteed to never return more than 11, - * but somehow gcc (8.2) is not smart enough to figure this out and claims that - * the memcpy in msgb_tvlv_put() below will cause and out-of-bounds access up to - * mi[131], which is wrong */ -#pragma GCC diagnostic push -#pragma GCC diagnostic ignored "-Warray-bounds" - int imsi_len = gsm48_generate_mid_from_imsi(mi, dup->imsi); - OSMO_ASSERT(imsi_len <= GSM48_MID_MAX_SIZE); - if (imsi_len > 2) - msgb_tvlv_push(msg, BSSGP_IE_IMSI, - imsi_len-2, mi+2); -#pragma GCC diagnostic pop + struct osmo_mobile_identity mi = { .type = GSM_MI_TYPE_IMSI, }; + OSMO_STRLCPY_ARRAY(mi.imsi, dup->imsi); + msgb_tvl_put(msg, BSSGP_IE_IMSI, osmo_mobile_identity_encoded_len(&mi, NULL)); + if (osmo_mobile_identity_encode_msgb(msg, &mi, false) <= 0) { + if (log_check_level(DBSSGP, LOGL_NOTICE)) { + char strbuf[64]; + osmo_mobile_identity_to_str_buf(strbuf, sizeof(strbuf), &mi); + LOGP(DBSSGP, LOGL_ERROR, + "NSEI=%u/BVCI=%u Cannot encode Mobile Identity %s\n", + nsei, bvci, strbuf); + } + msgb_free(msg); + return -EINVAL; + } } /* DRX parameters */ @@ -1227,12 +1228,8 @@ int bssgp_tx_paging(uint16_t nsei, uint16_t ns_bvci, struct bssgp_normal_hdr *bgph = (struct bssgp_normal_hdr *) msgb_put(msg, sizeof(*bgph)); uint16_t drx_params = osmo_htons(pinfo->drx_params); - uint8_t mi[GSM48_MID_MAX_SIZE]; - int imsi_len = gsm48_generate_mid_from_imsi(mi, pinfo->imsi); struct gsm48_ra_id ra; - - if (imsi_len < 2) - return -EINVAL; + struct osmo_mobile_identity mi; msgb_nsei(msg) = nsei; msgb_bvci(msg) = ns_bvci; @@ -1241,16 +1238,23 @@ int bssgp_tx_paging(uint16_t nsei, uint16_t ns_bvci, bgph->pdu_type = BSSGP_PDUT_PAGING_PS; else bgph->pdu_type = BSSGP_PDUT_PAGING_CS; + /* IMSI */ -/* gsm48_generate_mid_from_imsi() is guaranteed to never return more than 11, - * but somehow gcc (8.2) is not smart enough to figure this out and claims that - * the memcpy in msgb_tvlv_put() below will cause and out-of-bounds access up to - * mi[131], which is wrong */ -#pragma GCC diagnostic push -#pragma GCC diagnostic ignored "-Warray-bounds" - OSMO_ASSERT(imsi_len <= GSM48_MID_MAX_SIZE); - msgb_tvlv_put(msg, BSSGP_IE_IMSI, imsi_len-2, mi+2); -#pragma GCC diagnostic pop + mi = (struct osmo_mobile_identity){ .type = GSM_MI_TYPE_IMSI, }; + OSMO_STRLCPY_ARRAY(mi.imsi, pinfo->imsi); + msgb_tvl_put(msg, BSSGP_IE_IMSI, osmo_mobile_identity_encoded_len(&mi, NULL)); + if (osmo_mobile_identity_encode_msgb(msg, &mi, false) <= 0) { + if (log_check_level(DBSSGP, LOGL_NOTICE)) { + char strbuf[64]; + osmo_mobile_identity_to_str_buf(strbuf, sizeof(strbuf), &mi); + LOGP(DBSSGP, LOGL_ERROR, + "NSEI=%u/BVCI=%u Cannot encode Mobile Identity %s\n", + nsei, ns_bvci, strbuf); + } + msgb_free(msg); + return -EINVAL; + } + /* DRX Parameters */ msgb_tvlv_put(msg, BSSGP_IE_DRX_PARAMS, 2, (uint8_t *) &drx_params); diff --git a/src/gb/gprs_bssgp_bss.c b/src/gb/gprs_bssgp_bss.c index 5c9d11cc..9e9cefc5 100644 --- a/src/gb/gprs_bssgp_bss.c +++ b/src/gb/gprs_bssgp_bss.c @@ -178,22 +178,17 @@ int bssgp_tx_radio_status_imsi(struct bssgp_bvc_ctx *bctx, uint8_t cause, const char *imsi) { struct msgb *msg = common_tx_radio_status(bctx); - uint8_t mi[GSM48_MID_MAX_SIZE]; - int imsi_len = gsm48_generate_mid_from_imsi(mi, imsi); + struct osmo_mobile_identity mi = { .type = GSM_MI_TYPE_IMSI, }; + OSMO_STRLCPY_ARRAY(mi.imsi, imsi); if (!msg) return -ENOMEM; -/* gsm48_generate_mid_from_imsi() is guaranteed to never return more than 11, - * but somehow gcc (8.2) is not smart enough to figure this out and claims that - * the memcpy in msgb_tvlv_put() below will cause and out-of-bounds access up to - * mi[131], which is wrong */ -#pragma GCC diagnostic push -#pragma GCC diagnostic ignored "-Warray-bounds" - OSMO_ASSERT(imsi_len <= GSM48_MID_MAX_SIZE); - /* strip the MI type and length values (2 bytes) */ - if (imsi_len > 2) - msgb_tvlv_put(msg, BSSGP_IE_IMSI, imsi_len-2, mi+2); -#pragma GCC diagnostic pop + + msgb_tvl_put(msg, BSSGP_IE_IMSI, osmo_mobile_identity_encoded_len(&mi, NULL)); + if (osmo_mobile_identity_encode_msgb(msg, &mi, false) <= 0) { + msgb_free(msg); + return -EINVAL; + } LOGPC(DBSSGP, LOGL_NOTICE, "IMSI=%s ", imsi); return common_tx_radio_status2(msg, cause); @@ -486,6 +481,7 @@ int bssgp_rx_paging(struct bssgp_paging_info *pinfo, struct tlv_parsed tp; uint8_t ra[6]; int rc, data_len; + struct osmo_mobile_identity mi; memset(ra, 0, sizeof(ra)); @@ -510,9 +506,11 @@ int bssgp_rx_paging(struct bssgp_paging_info *pinfo, goto err_mand_ie; if (!pinfo->imsi) pinfo->imsi = talloc_zero_size(pinfo, GSM_IMSI_LENGTH); - gsm48_mi_to_string(pinfo->imsi, GSM_IMSI_LENGTH, - TLVP_VAL(&tp, BSSGP_IE_IMSI), - TLVP_LEN(&tp, BSSGP_IE_IMSI)); + if (osmo_mobile_identity_decode(&mi, TLVP_VAL(&tp, BSSGP_IE_IMSI), TLVP_LEN(&tp, BSSGP_IE_IMSI), false)) + goto err_mand_ie; + if (mi.type != GSM_MI_TYPE_IMSI) + goto err_mand_ie; + osmo_talloc_replace_string(pinfo, &pinfo->imsi, mi.imsi); /* DRX Parameters */ if (!TLVP_PRESENT(&tp, BSSGP_IE_DRX_PARAMS)) |