From 57d4fe715733915d9dc1cda3af535e16b282d50d Mon Sep 17 00:00:00 2001 From: Philipp Maier Date: Wed, 13 Dec 2017 11:37:38 +0100 Subject: mgcp: validate rtp connection data in MGW response (ip/port) Currently the pasing results from the RTP ip/port are fed into inet_addr without checking the results. Check the return code of inet_addr to be sure that the IP-Address got properly decoded. Change-Id: I1d0aa7e9b8480e1bef57269e3904399cb99815bb --- src/osmo-bsc/osmo_bsc_mgcp.c | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/osmo-bsc/osmo_bsc_mgcp.c b/src/osmo-bsc/osmo_bsc_mgcp.c index 6907d4f8c..8ea6415da 100644 --- a/src/osmo-bsc/osmo_bsc_mgcp.c +++ b/src/osmo-bsc/osmo_bsc_mgcp.c @@ -198,6 +198,7 @@ static void crcx_for_bts_resp_cb(struct mgcp_response *r, void *priv) struct mgcp_ctx *mgcp_ctx = priv; int rc; struct osmo_bsc_sccp_con *conn; + uint32_t addr; OSMO_ASSERT(mgcp_ctx); conn = mgcp_ctx->conn; @@ -227,13 +228,20 @@ static void crcx_for_bts_resp_cb(struct mgcp_response *r, void *priv) return; } + addr = inet_addr(r->audio_ip); + if (addr == INADDR_NONE) { + LOGPFSML(mgcp_ctx->fsm, LOGL_ERROR, "CRCX/BTS: Cannot parse response (invalid IP-address)\n"); + handle_error(mgcp_ctx, MGCP_ERR_MGW_INVAL_RESP); + return; + } + LOGPFSML(mgcp_ctx->fsm, LOGL_DEBUG, "CRCX/BTS: MGW responded with address %s:%u\n", r->audio_ip, r->audio_port); /* Set the connection details in the conn struct. The code that * controls the BTS via RSL will take these values and signal them * to the BTS via RSL/IPACC */ conn->user_plane.rtp_port = r->audio_port; - conn->user_plane.rtp_ip = osmo_ntohl(inet_addr(r->audio_ip)); + conn->user_plane.rtp_ip = osmo_ntohl(addr); /* Notify the FSM that we got the response. */ osmo_fsm_inst_dispatch(mgcp_ctx->fsm, EV_CRCX_BTS_RESP, mgcp_ctx); @@ -480,6 +488,7 @@ static void crcx_for_net_resp_cb(struct mgcp_response *r, void *priv) struct osmo_bsc_sccp_con *conn; struct gsm_lchan *lchan; struct sockaddr_in *sin; + uint32_t addr; OSMO_ASSERT(mgcp_ctx); conn = mgcp_ctx->conn; @@ -511,13 +520,20 @@ static void crcx_for_net_resp_cb(struct mgcp_response *r, void *priv) return; } + addr = inet_addr(r->audio_ip); + if (addr == INADDR_NONE) { + LOGPFSML(mgcp_ctx->fsm, LOGL_ERROR, "CRCX/NET: Cannot parse response (invalid IP-address)\n"); + handle_error(mgcp_ctx, MGCP_ERR_MGW_INVAL_RESP); + return; + } + LOGPFSML(mgcp_ctx->fsm, LOGL_DEBUG, "CRCX/NET: MGW responded with address %s:%u\n", r->audio_ip, r->audio_port); /* Store address */ sin = (struct sockaddr_in *)&conn->user_plane.aoip_rtp_addr_local; sin->sin_family = AF_INET; - sin->sin_addr.s_addr = inet_addr(r->audio_ip); + sin->sin_addr.s_addr = addr; sin->sin_port = osmo_ntohs(r->audio_port); /* Notify the FSM that we got the response. */ -- cgit v1.2.3