gprs_bssgp_pcu: ensure only known BVCI can be resetted by the SGSN

Related: OS#3879 Change-Id: I04e36ce4a29e51d85e67a0d3a81aa0e1eb9e9c08
author: Alexander Couzens <lynxis@fe80.eu> 2021-02-22 02:08:18 +0100
committer: laforge <laforge@osmocom.org> 2021-03-23 17:47:22 +0000
commit: 82519264ca9b93613ca8d815491a0295a94c0406 (patch)
tree: 101c68545e54e3547406ceffcb9403c13462904d /src
parent: d7f0558b5c613da210e332e958e77d6b6c52c044 (diff)
1 files changed, 12 insertions, 0 deletions
diff --git a/src/gprs_bssgp_pcu.c b/src/gprs_bssgp_pcu.c
index fd3f0db9..4170a662 100644
--- a/src/gprs_bssgp_pcu.c
+++ b/src/gprs_bssgp_pcu.c
@@ -415,6 +415,7 @@ static int gprs_bssgp_pcu_rcvmsg(struct msgb *msg)
 	struct tlv_parsed tp;
 	enum bssgp_pdu_type pdu_type = (enum bssgp_pdu_type) bgph->pdu_type;
 	uint16_t ns_bvci = msgb_bvci(msg), nsei = msgb_nsei(msg);
+	uint16_t bvci;
 	int data_len;
 	int rc = 0;
 	struct bssgp_bvc_ctx *bctx;
@@ -456,6 +457,17 @@ static int gprs_bssgp_pcu_rcvmsg(struct msgb *msg)
 	}
 
 	if (pdu_type == BSSGP_PDUT_BVC_RESET) {
+		if (ns_bvci != BVCI_SIGNALLING || !TLVP_PRESENT(&tp, BSSGP_IE_BVCI)) {
+			LOGP(DBSSGP, LOGL_ERROR, "Rx an invalid BVC-RESET %s\n", msgb_hexdump(msg));
+			return bssgp_tx_status(BSSGP_CAUSE_INV_MAND_INF, NULL, msg);
+		}
+
+		bvci = tlvp_val16be(&tp, BSSGP_IE_BVCI);
+		if (bvci != BVCI_SIGNALLING && bvci != the_pcu->bssgp.bctx->bvci) {
+			LOGP(DBSSGP, LOGL_ERROR, "Rx BVC-RESET for an unknown BVCI %d\n", bvci);
+			return bssgp_tx_status(BSSGP_CAUSE_UNKNOWN_BVCI, &bvci, msg);
+		}
+
 		return bssgp_rcvmsg(msg);
 	}
author	Alexander Couzens <lynxis@fe80.eu>	2021-02-22 02:08:18 +0100
committer	laforge <laforge@osmocom.org>	2021-03-23 17:47:22 +0000
commit	82519264ca9b93613ca8d815491a0295a94c0406 (patch)
tree	101c68545e54e3547406ceffcb9403c13462904d /src
parent	d7f0558b5c613da210e332e958e77d6b6c52c044 (diff)