aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPhilipp Maier <pmaier@sysmocom.de>2019-03-18 18:12:10 +0100
committerPhilipp Maier <pmaier@sysmocom.de>2019-03-19 15:11:56 +0100
commit8931f1763af3dbd25ab8fe22f4fa277375bd657d (patch)
treef4293f5be07f6056fbcd4dbf3e0ab481367b3635
parent9286114f6f9a8b45e620ccf2014ed713c770c9ed (diff)
a_iface_bssap: check bssmap length fieldpmaier/fixlength
At the moment the length field of the bssmap header is not parsed. Instead the length is computed out of the known header length and the number of bytes received. This is prone to error, lets make sure that extranous data at the end of a message is ignored by parsing the bssmap length correctly. Change-Id: I3b89dd5a66ec83b03860b58b6b8eb58007f433a4 Related: OS#3806
-rw-r--r--src/libmsc/a_iface_bssap.c28
1 files changed, 28 insertions, 0 deletions
diff --git a/src/libmsc/a_iface_bssap.c b/src/libmsc/a_iface_bssap.c
index cb245b805..3e33c46c1 100644
--- a/src/libmsc/a_iface_bssap.c
+++ b/src/libmsc/a_iface_bssap.c
@@ -703,6 +703,33 @@ static int rx_dtap(const struct osmo_sccp_user *scu, const struct a_conn_info *a
return 0;
}
+/* Extract and verify the length information from the BSSMAP header. */
+void bssmap_msg_verify_len(struct msgb *msg)
+{
+ unsigned int expected_len;
+ unsigned int calculated_len;
+ struct bssmap_header *bssmap_header;
+
+ bssmap_header = (struct bssmap_header *)msg->l2h;
+
+ calculated_len = msgb_l3len(msg);
+ expected_len = bssmap_header->length;
+
+ /* In case of contradictory length information, decide for the
+ * shorter length */
+ if (calculated_len > expected_len) {
+ LOGP(DBSSAP, LOGL_NOTICE,
+ "BSSMAP message contains extra data, expected %u bytes, got %u bytes, truncated\n",
+ expected_len, calculated_len);
+ msgb_l3trim(msg, expected_len);
+ } else if (calculated_len < expected_len) {
+ LOGP(DMSC, LOGL_NOTICE,
+ "Short BSSMAP message, expected %u bytes, got %u bytes\n",
+ expected_len, calculated_len);
+ msgb_l3trim(msg, calculated_len);
+ }
+}
+
/* Handle incoming connection oriented messages. No ownership of 'msg' is passed on! */
int a_sccp_rx_dt(struct osmo_sccp_user *scu, const struct a_conn_info *a_conn_info, struct msgb *msg)
{
@@ -718,6 +745,7 @@ int a_sccp_rx_dt(struct osmo_sccp_user *scu, const struct a_conn_info *a_conn_in
switch (msg->l2h[0]) {
case BSSAP_MSG_BSS_MANAGEMENT:
msg->l3h = &msg->l2h[sizeof(struct bssmap_header)];
+ bssmap_msg_verify_len(msg);
return rx_bssmap(scu, a_conn_info, msg);
case BSSAP_MSG_DTAP:
return rx_dtap(scu, a_conn_info, msg);