diff options
author | Holger Hans Peter Freyther <zecke@selfish.org> | 2013-03-19 20:50:36 +0100 |
---|---|---|
committer | Holger Hans Peter Freyther <zecke@selfish.org> | 2013-04-02 10:10:21 +0200 |
commit | d34adb2f9f0190398bf124e3c44384dd72094676 (patch) | |
tree | fc015954e3ff8df08e34754f1f009d7f5873b14d /openbsc/src/osmo-bsc_nat | |
parent | 8ae35c160692b18ac701edea43cfac675ca18bec (diff) |
nat: Fix authentication by-pass using shorter tokens
The token was compared with the configured one but only up to a
user supplied length. Compare the token sizes and then use memcmp
for the actual comparison to make sure to compare the right ammount
of characters.
There is no unit-test but there should be one.
Diffstat (limited to 'openbsc/src/osmo-bsc_nat')
-rw-r--r-- | openbsc/src/osmo-bsc_nat/bsc_nat.c | 22 |
1 files changed, 20 insertions, 2 deletions
diff --git a/openbsc/src/osmo-bsc_nat/bsc_nat.c b/openbsc/src/osmo-bsc_nat/bsc_nat.c index dd06a70b6..792d33c23 100644 --- a/openbsc/src/osmo-bsc_nat/bsc_nat.c +++ b/openbsc/src/osmo-bsc_nat/bsc_nat.c @@ -943,8 +943,26 @@ static void ipaccess_auth_bsc(struct tlv_parsed *tvp, struct bsc_connection *bsc return; } + if (len <= 0) { + LOGP(DNAT, LOGL_ERROR, "Token with length zero on fd: %d\n", + bsc->write_queue.bfd.fd); + return; + } + + if (token[len - 1] != '\0') { + LOGP(DNAT, LOGL_ERROR, "Token not null terminated on fd: %d\n", + bsc->write_queue.bfd.fd); + return; + } + llist_for_each_entry(conf, &bsc->nat->bsc_configs, entry) { - if (strncmp(conf->token, token, len) == 0) { + /* + * Add the '\0' of the token for the memcmp, the IPA messages + * for some reason added null termination. + */ + const int token_len = strlen(conf->token) + 1; + + if (token_len == len && memcmp(conf->token, token, token_len) == 0) { rate_ctr_inc(&conf->stats.ctrg->ctr[BCFG_CTR_NET_RECONN]); bsc->authenticated = 1; bsc->cfg = conf; @@ -956,7 +974,7 @@ static void ipaccess_auth_bsc(struct tlv_parsed *tvp, struct bsc_connection *bsc } } - LOGP(DNAT, LOGL_ERROR, "No bsc found for token %s on fd: %d.\n", token, + LOGP(DNAT, LOGL_ERROR, "No bsc found for token '%s' on fd: %d.\n", token, bsc->write_queue.bfd.fd); } |