diff options
-rw-r--r-- | openbsc/include/openbsc/gsm_04_80.h | 10 | ||||
-rw-r--r-- | openbsc/include/openbsc/gsm_subscriber.h | 7 | ||||
-rw-r--r-- | openbsc/src/gsm_04_80.c | 9 | ||||
-rw-r--r-- | openbsc/src/gsm_data.c | 2 | ||||
-rw-r--r-- | openbsc/src/ussd.c | 6 |
5 files changed, 20 insertions, 14 deletions
diff --git a/openbsc/include/openbsc/gsm_04_80.h b/openbsc/include/openbsc/gsm_04_80.h index 9bdf2c200..c240bbe94 100644 --- a/openbsc/include/openbsc/gsm_04_80.h +++ b/openbsc/include/openbsc/gsm_04_80.h @@ -125,17 +125,19 @@ #include <openbsc/msgb.h> +#define MAX_LEN_USSD_STRING 31 + struct ussd_request { - char text[32]; + char text[MAX_LEN_USSD_STRING + 1]; u_int8_t transaction_id; u_int8_t invoke_id; }; -int gsm0480_decode_ussd_request(struct msgb *msg, +int gsm0480_decode_ussd_request(const struct msgb *msg, struct ussd_request *request); -int gsm0480_send_ussd_response(struct msgb *in_msg, const char* response_text, +int gsm0480_send_ussd_response(const struct msgb *in_msg, const char* response_text, const struct ussd_request *req); -int gsm0480_send_ussd_reject(struct msgb *msg, +int gsm0480_send_ussd_reject(const struct msgb *msg, const struct ussd_request *request); #endif diff --git a/openbsc/include/openbsc/gsm_subscriber.h b/openbsc/include/openbsc/gsm_subscriber.h index ea70c3aa2..d612ed566 100644 --- a/openbsc/include/openbsc/gsm_subscriber.h +++ b/openbsc/include/openbsc/gsm_subscriber.h @@ -8,13 +8,14 @@ #define GSM_IMEI_LENGTH 17 #define GSM_IMSI_LENGTH 17 #define GSM_NAME_LENGTH 128 -#define GSM_EXTENSION_LENGTH 128 + +#define GSM_EXTENSION_LENGTH 15 /* MSISDN can only be 15 digits length */ +#define GSM_MIN_EXTEN 20000 +#define GSM_MAX_EXTEN 49999 /* reserved according to GSM 03.03 ยง 2.4 */ #define GSM_RESERVED_TMSI 0xFFFFFFFF -#define GSM_MIN_EXTEN 20000 -#define GSM_MAX_EXTEN 49999 #define GSM_SUBSCRIBER_FIRST_CONTACT 0x00000001 #define tmsi_from_string(str) strtoul(str, NULL, 10) diff --git a/openbsc/src/gsm_04_80.c b/openbsc/src/gsm_04_80.c index 5d85c8221..7f5089de1 100644 --- a/openbsc/src/gsm_04_80.c +++ b/openbsc/src/gsm_04_80.c @@ -70,7 +70,7 @@ static inline unsigned char *msgb_push_TLV1(struct msgb *msgb, u_int8_t tag, /* Decode a mobile-originated USSD-request message */ -int gsm0480_decode_ussd_request(struct msgb *msg, struct ussd_request *req) +int gsm0480_decode_ussd_request(const struct msgb *msg, struct ussd_request *req) { int rc = 0; u_int8_t *parse_ptr = msgb_l3(msg); @@ -230,6 +230,9 @@ static int parse_process_uss_req(u_int8_t *uss_req_data, u_int8_t length, if ((dcs == 0x0F) && (uss_req_data[5] == ASN1_OCTET_STRING_TAG)) { num_chars = (uss_req_data[6] * 8) / 7; + /* Prevent a mobile-originated buffer-overrun! */ + if (num_chars > MAX_LEN_USSD_STRING) + num_chars = MAX_LEN_USSD_STRING; gsm_7bit_decode(req->text, &(uss_req_data[7]), num_chars); /* append null-terminator */ @@ -242,7 +245,7 @@ static int parse_process_uss_req(u_int8_t *uss_req_data, u_int8_t length, } /* Send response to a mobile-originated ProcessUnstructuredSS-Request */ -int gsm0480_send_ussd_response(struct msgb *in_msg, const char* response_text, +int gsm0480_send_ussd_response(const struct msgb *in_msg, const char* response_text, const struct ussd_request *req) { struct msgb *msg = gsm48_msgb_alloc(); @@ -295,7 +298,7 @@ int gsm0480_send_ussd_response(struct msgb *in_msg, const char* response_text, return gsm48_sendmsg(msg, NULL); } -int gsm0480_send_ussd_reject(struct msgb *in_msg, +int gsm0480_send_ussd_reject(const struct msgb *in_msg, const struct ussd_request *req) { struct msgb *msg = gsm48_msgb_alloc(); diff --git a/openbsc/src/gsm_data.c b/openbsc/src/gsm_data.c index 34642900b..60205be13 100644 --- a/openbsc/src/gsm_data.c +++ b/openbsc/src/gsm_data.c @@ -232,7 +232,7 @@ static char ts2str[255]; char *gsm_ts_name(struct gsm_bts_trx_ts *ts) { snprintf(ts2str, sizeof(ts2str), "(bts=%d,trx=%d,ts=%d)", - ts->trx->bts->bts_nr, ts->trx->nr, ts->nr); + ts->trx->bts->nr, ts->trx->nr, ts->nr); return ts2str; } diff --git a/openbsc/src/ussd.c b/openbsc/src/ussd.c index e414b1cea..a3d11f080 100644 --- a/openbsc/src/ussd.c +++ b/openbsc/src/ussd.c @@ -63,9 +63,9 @@ int handle_rcv_ussd(struct msgb *msg) static int send_own_number(const struct msgb *msg, const struct ussd_request *req) { char *own_number = msg->lchan->subscr->extension; - /* Need trailing CR as EOT character */ - char response_string[] = "Your extension is xxxxx\r"; + char response_string[GSM_EXTENSION_LENGTH + 20]; - memcpy(response_string + 18, own_number, 5); + /* Need trailing CR as EOT character */ + snprintf(response_string, sizeof(response_string), "Your extension is %s\r", own_number); return gsm0480_send_ussd_response(msg, response_string, req); } |