[SEC] Fix Assertion ogs_pfcp_parse_volume (open5gs#3207)

pespin · May 18, 2024 · 02d302b · 02d302b
1 parent 15ff23d
commit 02d302b
Show file tree

Hide file tree

Showing 2 changed files with 54 additions and 5 deletions.
diff --git a/lib/pfcp/handler.c b/lib/pfcp/handler.c
@@ -1329,6 +1329,7 @@ ogs_pfcp_urr_t *ogs_pfcp_handle_create_urr(ogs_pfcp_sess_t *sess,
         ogs_pfcp_tlv_create_urr_t *message,
         uint8_t *cause_value, uint8_t *offending_ie_value)
 {
+    int16_t decoded;
     ogs_pfcp_urr_t *urr = NULL;
 
     ogs_assert(message);
@@ -1377,12 +1378,26 @@ ogs_pfcp_urr_t *ogs_pfcp_handle_create_urr(ogs_pfcp_sess_t *sess,
 
     if (message->volume_threshold.presence &&
         (urr->meas_method & OGS_PFCP_MEASUREMENT_METHOD_VOLUME)) {
-        ogs_pfcp_parse_volume(&urr->vol_threshold, &message->volume_threshold);
+        decoded = ogs_pfcp_parse_volume(
+                &urr->vol_threshold, &message->volume_threshold);
+        if (message->volume_threshold.len != decoded) {
+            ogs_error("Invalid Volume Threshold");
+            *cause_value = OGS_PFCP_CAUSE_MANDATORY_IE_INCORRECT;
+            *offending_ie_value = OGS_PFCP_VOLUME_THRESHOLD_TYPE;
+            return NULL;
+        }
     }
 
     if (message->volume_quota.presence &&
         (urr->meas_method & OGS_PFCP_MEASUREMENT_METHOD_VOLUME)) {
-        ogs_pfcp_parse_volume(&urr->vol_quota, &message->volume_quota);
+        decoded = ogs_pfcp_parse_volume(
+                &urr->vol_quota, &message->volume_quota);
+        if (message->volume_quota.len != decoded) {
+            ogs_error("Invalid Volume Quota");
+            *cause_value = OGS_PFCP_CAUSE_MANDATORY_IE_INCORRECT;
+            *offending_ie_value = OGS_PFCP_VOLUME_QUOTA_TYPE;
+            return NULL;
+        }
     }
 
     if (message->event_threshold.presence &&
@@ -1431,6 +1446,7 @@ ogs_pfcp_urr_t *ogs_pfcp_handle_update_urr(ogs_pfcp_sess_t *sess,
         ogs_pfcp_tlv_update_urr_t *message,
         uint8_t *cause_value, uint8_t *offending_ie_value)
 {
+    int16_t decoded;
     ogs_pfcp_urr_t *urr = NULL;
 
     ogs_assert(message);
@@ -1469,12 +1485,26 @@ ogs_pfcp_urr_t *ogs_pfcp_handle_update_urr(ogs_pfcp_sess_t *sess,
 
     if (message->volume_threshold.presence &&
         (urr->meas_method & OGS_PFCP_MEASUREMENT_METHOD_VOLUME)) {
-        ogs_pfcp_parse_volume(&urr->vol_threshold, &message->volume_threshold);
+        decoded = ogs_pfcp_parse_volume(
+                &urr->vol_threshold, &message->volume_threshold);
+        if (message->volume_threshold.len != decoded) {
+            ogs_error("Invalid Volume Threshold");
+            *cause_value = OGS_PFCP_CAUSE_MANDATORY_IE_INCORRECT;
+            *offending_ie_value = OGS_PFCP_VOLUME_THRESHOLD_TYPE;
+            return NULL;
+        }
     }
 
     if (message->volume_quota.presence &&
         (urr->meas_method & OGS_PFCP_MEASUREMENT_METHOD_VOLUME)) {
-        ogs_pfcp_parse_volume(&urr->vol_quota, &message->volume_quota);
+        decoded = ogs_pfcp_parse_volume(
+                &urr->vol_quota, &message->volume_quota);
+        if (message->volume_quota.len != decoded) {
+            ogs_error("Invalid Volume Quota");
+            *cause_value = OGS_PFCP_CAUSE_MANDATORY_IE_INCORRECT;
+            *offending_ie_value = OGS_PFCP_VOLUME_QUOTA_TYPE;
+            return NULL;
+        }
     }
 
     if (message->event_threshold.presence &&

diff --git a/lib/pfcp/types.c b/lib/pfcp/types.c
@@ -542,25 +542,44 @@ int16_t ogs_pfcp_parse_volume(
     size += sizeof(volume->flags);
 
     if (volume->tovol) {
+        if (size + sizeof(volume->total_volume) > octet->len) {
+            ogs_error("size[%d]+sizeof(volume->total_volume)[%d] "
+                    "> IE Length[%d]",
+                    size, (int)sizeof(volume->total_volume), octet->len);
+            return 0;
+        }
         memcpy(&volume->total_volume, (unsigned char *)octet->data + size,
                 sizeof(volume->total_volume));
         volume->total_volume = be64toh(volume->total_volume);
         size += sizeof(volume->total_volume);
     }
     if (volume->ulvol) {
+        if (size + sizeof(volume->uplink_volume) > octet->len) {
+            ogs_error("size[%d]+sizeof(volume->uplink_volume)[%d] "
+                    "> IE Length[%d]",
+                    size, (int)sizeof(volume->uplink_volume), octet->len);
+            return 0;
+        }
         memcpy(&volume->uplink_volume, (unsigned char *)octet->data + size,
                 sizeof(volume->uplink_volume));
         volume->uplink_volume = be64toh(volume->uplink_volume);
         size += sizeof(volume->uplink_volume);
     }
     if (volume->dlvol) {
+        if (size + sizeof(volume->downlink_volume) > octet->len) {
+            ogs_error("size[%d]+sizeof(volume->downlink_volume)[%d] "
+                    "> IE Length[%d]",
+                    size, (int)sizeof(volume->downlink_volume), octet->len);
+            return 0;
+        }
         memcpy(&volume->downlink_volume, (unsigned char *)octet->data + size,
                 sizeof(volume->downlink_volume));
         volume->downlink_volume = be64toh(volume->downlink_volume);
         size += sizeof(volume->downlink_volume);
     }
 
-    ogs_assert(size == octet->len);
+    if (size != octet->len)
+        ogs_error("Mismatch IE Length[%d] != Decoded[%d]", octet->len, size);
 
     return size;
 }