diff options
author | Oliver Smith <osmith@sysmocom.de> | 2019-06-06 11:57:05 +0200 |
---|---|---|
committer | Oliver Smith <osmith@sysmocom.de> | 2019-06-11 08:43:49 +0200 |
commit | 103c11bd24662e124f7f6c539c0d1c606a67167c (patch) | |
tree | 46f215ede63071e79fee4a7a8965119f80256564 | |
parent | 63de00cfc104a32b5fb6abeeabaa631381c4cb36 (diff) |
rx_check_imei_req(): fix IMEI bounds checking
IMEIs (without the checksum) always have 14 digits. Replace the previous
check (length <= 14) with a proper one (length == 14) and set the buffer
to the right size. While at it, add the return code of
gsm48_decode_bc_number2() to the error log message.
I have tested with new TTCN3 tests, that the length check is working
properly now.
Related: OS#2541
Change-Id: I060a8db98fb882e4815d1709a5d85bc0143a73a6
-rw-r--r-- | src/hlr.c | 24 |
1 files changed, 17 insertions, 7 deletions
@@ -477,18 +477,28 @@ static int rx_check_imei_req(struct osmo_gsup_conn *conn, const struct osmo_gsup { struct osmo_gsup_message gsup_reply = {0}; struct msgb *msg_out; - char imei[GSM23003_IMEI_NUM_DIGITS+1] = {0}; + char imei[GSM23003_IMEI_NUM_DIGITS_NO_CHK+1] = {0}; + int rc; + + /* Require IMEI */ + if (!gsup->imei_enc) { + LOGP(DMAIN, LOGL_ERROR, "%s: missing IMEI\n", gsup->imsi); + gsup_send_err_reply(conn, gsup->imsi, gsup->message_type, GMM_CAUSE_INV_MAND_INFO); + return -1; + } - /* Encoded IMEI length check */ - if (!gsup->imei_enc || gsup->imei_enc_len < 1 || gsup->imei_enc[0] >= sizeof(imei)) { - LOGP(DMAIN, LOGL_ERROR, "%s: wrong encoded IMEI length\n", gsup->imsi); + /* Decode IMEI (fails if IMEI is too long) */ + rc = gsm48_decode_bcd_number2(imei, sizeof(imei), gsup->imei_enc, gsup->imei_enc_len, 0); + if (rc < 0) { + LOGP(DMAIN, LOGL_ERROR, "%s: failed to decode IMEI (rc: %i)\n", gsup->imsi, rc); gsup_send_err_reply(conn, gsup->imsi, gsup->message_type, GMM_CAUSE_INV_MAND_INFO); return -1; } - /* Decode IMEI */ - if (gsm48_decode_bcd_number2(imei, sizeof(imei), gsup->imei_enc, gsup->imei_enc_len, 0) < 0) { - LOGP(DMAIN, LOGL_ERROR, "%s: failed to decode IMEI\n", gsup->imsi); + /* Check if IMEI is too short */ + if (strlen(imei) != GSM23003_IMEI_NUM_DIGITS_NO_CHK) { + LOGP(DMAIN, LOGL_ERROR, "%s: wrong encoded IMEI length (IMEI: '%s', %lu, %i)\n", gsup->imsi, imei, + strlen(imei), GSM23003_IMEI_NUM_DIGITS_NO_CHK); gsup_send_err_reply(conn, gsup->imsi, gsup->message_type, GMM_CAUSE_INV_MAND_INFO); return -1; } |