apply correct bounds for various array inputs #142
Conversation
|
Can one of the admins verify this patch? |
3 similar comments
|
Can one of the admins verify this patch? |
|
Can one of the admins verify this patch? |
|
Can one of the admins verify this patch? |
| @@ -80,6 +80,11 @@ int convertToInitUeProtoIe(InitiatingMessage_t *msg, struct proto_IE* proto_ies, | |||
| return -1; | |||
| } | |||
|
|
|||
| if (s1apNASPDU_p->size > 300) { | |||
There was a problem hiding this comment.
How did you arrive at 300?
There was a problem hiding this comment.
The destination of the memcpy is s1Msg->nasMsg.nasMsgBuf. s1Msg is of type initial_ue_msg_t, which has the following definition:
Nucleus/include/common/msgType.h
Lines 603 to 614 in a8002eb
Following from that, the rawNas_Q_msg_t type has definition:
Nucleus/include/common/msgType.h
Lines 114 to 118 in a8002eb
... which actually uses MAX_NAS_MSG_SIZE, equal to 500 bytes. My bad. I think I had seen the general nasMsgBuf field in several other types having a constant of 300, such as:
Nucleus/include/common/msgType.h
Lines 339 to 347 in a8002eb
... and wrongly assumed they would be consistent across all message types. I'll get that fixed.
| @@ -468,6 +473,11 @@ int convertUplinkNasToProtoIe(InitiatingMessage_t *msg, struct proto_IE* proto_i | |||
| return -1; | |||
| } | |||
|
|
|||
| if (s1apNASPDU_p->size > 300) { | |||
There was a problem hiding this comment.
same comment - how you arrived at 300?
There was a problem hiding this comment.
I relied on the same assumption as above, which may be wrong. In this case, s1Msg is of type uplink_nas_t, which is defined here:
Nucleus/include/common/msgType.h
Lines 616 to 631 in a8002eb
It likewise uses a rawNas_Q_msg_t:
Nucleus/include/common/msgType.h
Lines 114 to 118 in a8002eb
So yes, it should be changed to MAX_NAS_MSG_SIZE as well. Ill get this fixed too.
| @@ -646,6 +660,11 @@ int convertInitCtxRspToProtoIe(SuccessfulOutcome_t *msg, struct proto_IE* proto_ | |||
|
|
|||
| if(s1apErabSetupItem_p->transportLayerAddress.buf != NULL) | |||
| { | |||
| if (s1apErabSetupItem_p->transportLayerAddress.size != sizeof(int)) { | |||
There was a problem hiding this comment.
May need formatting of the code..seems space & tab combination. Could you pls fix it?
|
@nathaniel-bennett, you need to "redo" your commit using the |
Signed-off-by: Nathaniel Bennett <[email protected]>
nathaniel-bennett
force-pushed
the
master
branch
from
2b1c2a7 to
b63dc5c
Compare
|
Alright, I've gone ahead and force-pushed the requested changes (including |
Fixes several out-of-bounds memory accesses that can be triggered via an unauthenticated cellular device.
Partially deals with #143, though the ASN.1 files for S1AP will still need to be regenerated using a new version of the asn1c compiler (e.g. https://github.com/mouse07410/asn1c) in order to resolve the buffer overflow issues contained within it. It appears to be a static-compiled library that is stored in the git repo and linked at build time.