diff options
author | Harald Welte <laforge@gnumonks.org> | 2010-05-04 10:59:23 +0200 |
---|---|---|
committer | Harald Welte <laforge@gnumonks.org> | 2010-05-04 10:59:23 +0200 |
commit | e67556e96f135aff7ebb80ad3b8ae89973bbcdaa (patch) | |
tree | 665a3853e0b1fc11bca6b8c3bdeaaa7c0c24f480 /gtp | |
parent | dd69266b10c782b92c354d2445e46ffdec51c591 (diff) |
[SECURITY] Fix GTPIE parsing DoS
This is taken from http://sourceforge.net/tracker/index.php?func=detail&aid=1811511&group_id=68956&atid=522957 and http://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg402969.html and addresses a DoS:
The problem lies in the parsing of information elements in GTP messages, which
is implemented in the gtpie_decaps function of gtp/gtpie.c file.
The implementation has a bug that does not check if there are too many
information elements in the message thus causing the software to loop
infinitely in the while-loop.
In addition, handling routine for the error situation had to be implemented
outside the while-loop.
Diffstat (limited to 'gtp')
-rw-r--r-- | gtp/gtpie.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/gtp/gtpie.c b/gtp/gtpie.c index 55d3f32..a62d02c 100644 --- a/gtp/gtpie.c +++ b/gtp/gtpie.c @@ -188,7 +188,7 @@ int gtpie_decaps(union gtpie_member* ie[], int version, void *pack, unsigned len memset(ie, 0, 4 * GTPIE_SIZE); - while (p<end) { + while ((p<end) && (j<GTPIE_SIZE)) { if (GTPIE_DEBUG) { printf("The packet looks like this:\n"); for( i=0; i<(end-p); i++) { @@ -346,6 +346,10 @@ int gtpie_decaps(union gtpie_member* ie[], int version, void *pack, unsigned len (unsigned long) p, (unsigned long) end); return 0; /* We landed at the end of the packet: OK */ } + else if (!(j<GTPIE_SIZE)) { + if (GTPIE_DEBUG) printf("GTPIE too many elements.\n"); + return EOF; /* We received too many information elements */ + } else { if (GTPIE_DEBUG) printf("GTPIE exceeded end of packet. %lx %lx\n", (unsigned long) p, (unsigned long) end); |