Skip to content

O
OpenXG-RAN
Commit 9999403e authored by winckel's avatar winckel
Browse files
Options

Modified "xer_sprint" to avoid string buffer overflow. 

Added transmission of security parameters from S1AP to lower layers.

git-svn-id: http://svn.eurecom.fr/openair4G/trunk@4524 818b1a75-f10b-46b9-bf7c-635c3b92a50f
parent 1785e31f
Hide whitespace changes
Inline Side-by-side
Showing with 83 additions and 108 deletions
openair2/RRC/LITE/MESSAGES/asn1_msg.c
View file @ 9999403e
...@@ -103,6 +103,13 @@ int errno; ...@@ -103,6 +103,13 @@ int errno;
#define msg printf #define msg printf
#endif #endif
typedef struct xer_sprint_string_s
{
char *string;
size_t string_size;
size_t string_index;
} xer_sprint_string_t;
extern unsigned char NB_eNB_INST; extern unsigned char NB_eNB_INST;
uint16_t two_tier_hexagonal_cellIds[7] = {0,1,2,4,5,7,8}; uint16_t two_tier_hexagonal_cellIds[7] = {0,1,2,4,5,7,8};
...@@ -120,22 +127,39 @@ uint16_t two_tier_hexagonal_adjacent_cellIds[7][6] = {{1,2,4,5,7,8}, // CellI ...@@ -120,22 +127,39 @@ uint16_t two_tier_hexagonal_adjacent_cellIds[7][6] = {{1,2,4,5,7,8}, // CellI
*/ */
static int xer__print2s (const void *buffer, size_t size, void *app_key) static int xer__print2s (const void *buffer, size_t size, void *app_key)
{ {
char *string = (char *) app_key; xer_sprint_string_t *string_buffer = (xer_sprint_string_t *) app_key;
size_t string_remaining = string_buffer->string_size - string_buffer->string_index;
strncat(string, buffer, size); if (string_remaining > 0)
{
if (size > string_remaining)
{
size = string_remaining;
}
memcpy(&string_buffer->string[string_buffer->string_index], buffer, size);
string_buffer->string_index += size;
}
return 0; return 0;
} }
int xer_sprint (char *string, asn_TYPE_descriptor_t *td, void *sptr) int xer_sprint (char *string, size_t string_size, asn_TYPE_descriptor_t *td, void *sptr)
{ {
asn_enc_rval_t er; asn_enc_rval_t er;
xer_sprint_string_t string_buffer;
er = xer_encode(td, sptr, XER_F_BASIC, xer__print2s, string); string_buffer.string = string;
if (er.encoded == -1) string_buffer.string_size = string_size;
return -1; string_buffer.string_index = 0;
return 0; er = xer_encode(td, sptr, XER_F_BASIC, xer__print2s, &string_buffer);
if (er.encoded > string_buffer.string_size)
{
LOG_E(RRC, "xer_sprint string buffer too small, got %d need %d!", string_buffer.string_size, er.encoded);
er.encoded = string_buffer.string_size;
}
return er.encoded;
} }
uint16_t get_adjacent_cell_id(uint8_t Mod_id,uint8_t index) { uint16_t get_adjacent_cell_id(uint8_t Mod_id,uint8_t index) {
...@@ -2016,22 +2040,17 @@ OAI_UECapability_t *fill_ue_capability() { ...@@ -2016,22 +2040,17 @@ OAI_UECapability_t *fill_ue_capability() {
} }
# else # else
{ {
char *message_string = NULL; char message_string[10000];
size_t message_string_size;
message_string = calloc(10000, sizeof(char)); if ((message_string_size = xer_sprint(message_string, sizeof(message_string), &asn_DEF_UE_EUTRA_Capability, (void *)UE_EUTRA_Capability)) > 0)
if (xer_sprint(message_string, &asn_DEF_UE_EUTRA_Capability, (void *)UE_EUTRA_Capability) >= 0)
{ {
MessageDef *message_p; MessageDef *message_p;
size_t message_string_size;
message_string_size = strlen(message_string);
message_p = itti_alloc_new_message_sized (TASK_RRC_UE, GENERIC_LOG, message_string_size); message_p = itti_alloc_new_message_sized (TASK_RRC_UE, GENERIC_LOG, message_string_size);
memcpy(&message_p->ittiMsg.generic_log, message_string, message_string_size); memcpy(&message_p->ittiMsg.generic_log, message_string, message_string_size);
itti_send_msg_to_task(TASK_UNKNOWN, INSTANCE_DEFAULT, message_p); itti_send_msg_to_task(TASK_UNKNOWN, INSTANCE_DEFAULT, message_p);
free(message_string);
} }
} }
# endif # endif
......
openair2/RRC/LITE/MESSAGES/asn1_msg.h
View file @ 9999403e
...@@ -61,7 +61,7 @@ ...@@ -61,7 +61,7 @@
* -1: Problem printing the structure. * -1: Problem printing the structure.
* WARNING: No sensible errno value is returned. * WARNING: No sensible errno value is returned.
*/ */
int xer_sprint(char *string, struct asn_TYPE_descriptor_s *td, void *sptr); int xer_sprint(char *string, size_t string_size, struct asn_TYPE_descriptor_s *td, void *sptr);
uint16_t get_adjacent_cell_id(uint8_t Mod_id,uint8_t index); uint16_t get_adjacent_cell_id(uint8_t Mod_id,uint8_t index);
......
openair2/RRC/LITE/rrc_UE.c
View file @ 9999403e
...@@ -343,22 +343,17 @@ int rrc_ue_decode_ccch(u8 Mod_id, u32 frame, SRB_INFO *Srb_info, u8 eNB_index){ ...@@ -343,22 +343,17 @@ int rrc_ue_decode_ccch(u8 Mod_id, u32 frame, SRB_INFO *Srb_info, u8 eNB_index){
} }
# else # else
{ {
char *message_string = NULL; char message_string[10000];
size_t message_string_size;
message_string = calloc(10000, sizeof(char)); if ((message_string_size = xer_sprint(message_string, sizeof(message_string), &asn_DEF_DL_CCCH_Message, (void *)dl_ccch_msg)) > 0)
if (xer_sprint(message_string, &asn_DEF_DL_CCCH_Message, (void *)dl_ccch_msg) >= 0)
{ {
MessageDef *message_p; MessageDef *message_p;
size_t message_string_size;
message_string_size = strlen(message_string);
message_p = itti_alloc_new_message_sized (TASK_RRC_UE, GENERIC_LOG, message_string_size); message_p = itti_alloc_new_message_sized (TASK_RRC_UE, GENERIC_LOG, message_string_size);
memcpy(&message_p->ittiMsg.generic_log, message_string, message_string_size); memcpy(&message_p->ittiMsg.generic_log, message_string, message_string_size);
itti_send_msg_to_task(TASK_UNKNOWN, Mod_id + NB_eNB_INST, message_p); itti_send_msg_to_task(TASK_UNKNOWN, Mod_id + NB_eNB_INST, message_p);
free(message_string);
} }
} }
# endif # endif
...@@ -1378,22 +1373,17 @@ void rrc_ue_decode_dcch(u8 Mod_id,u32 frame,u8 Srb_id, u8 *Buffer,u8 eNB_index) ...@@ -1378,22 +1373,17 @@ void rrc_ue_decode_dcch(u8 Mod_id,u32 frame,u8 Srb_id, u8 *Buffer,u8 eNB_index)
} }
# else # else
{ {
char *message_string = NULL; char message_string[20000];
size_t message_string_size;
message_string = calloc(20000, sizeof(char));
if (xer_sprint(message_string, &asn_DEF_DL_DCCH_Message, (void *)dl_dcch_msg) >= 0) if ((message_string_size = xer_sprint(message_string, sizeof(message_string), &asn_DEF_DL_DCCH_Message, (void *)dl_dcch_msg)) > 0)
{ {
MessageDef *message_p; MessageDef *message_p;
size_t message_string_size;
message_string_size = strlen(message_string);
message_p = itti_alloc_new_message_sized (TASK_RRC_UE, GENERIC_LOG, message_string_size); message_p = itti_alloc_new_message_sized (TASK_RRC_UE, GENERIC_LOG, message_string_size);
memcpy(&message_p->ittiMsg.generic_log, message_string, message_string_size); memcpy(&message_p->ittiMsg.generic_log, message_string, message_string_size);
itti_send_msg_to_task(TASK_UNKNOWN, Mod_id + NB_eNB_INST, message_p); itti_send_msg_to_task(TASK_UNKNOWN, Mod_id + NB_eNB_INST, message_p);
free(message_string);
} }
} }
# endif # endif
...@@ -1593,22 +1583,17 @@ int decode_BCCH_DLSCH_Message(u8 Mod_id,u32 frame,u8 eNB_index,u8 *Sdu,u8 Sdu_le ...@@ -1593,22 +1583,17 @@ int decode_BCCH_DLSCH_Message(u8 Mod_id,u32 frame,u8 eNB_index,u8 *Sdu,u8 Sdu_le
} }
# else # else
{ {
char *message_string = NULL; char message_string[15000];
size_t message_string_size;
message_string = calloc(10000, sizeof(char));
if (xer_sprint(message_string, &asn_DEF_BCCH_DL_SCH_Message, (void *)bcch_message) >= 0) if ((message_string_size = xer_sprint(message_string, sizeof(message_string), &asn_DEF_BCCH_DL_SCH_Message, (void *)bcch_message)) > 0)
{ {
MessageDef *message_p; MessageDef *message_p;
size_t message_string_size;
message_string_size = strlen(message_string);
message_p = itti_alloc_new_message_sized (TASK_RRC_UE, GENERIC_LOG, message_string_size); message_p = itti_alloc_new_message_sized (TASK_RRC_UE, GENERIC_LOG, message_string_size);
memcpy(&message_p->ittiMsg.generic_log, message_string, message_string_size); memcpy(&message_p->ittiMsg.generic_log, message_string, message_string_size);
itti_send_msg_to_task(TASK_UNKNOWN, Mod_id + NB_eNB_INST, message_p); itti_send_msg_to_task(TASK_UNKNOWN, Mod_id + NB_eNB_INST, message_p);
free(message_string);
} }
} }
# endif # endif
......
openair2/RRC/LITE/rrc_eNB.c
View file @ 9999403e
...@@ -2514,22 +2514,17 @@ int rrc_eNB_decode_ccch (u8 Mod_id, u32 frame, SRB_INFO * Srb_info) ...@@ -2514,22 +2514,17 @@ int rrc_eNB_decode_ccch (u8 Mod_id, u32 frame, SRB_INFO * Srb_info)
} }
# else # else
{ {
char *message_string = NULL; char message_string[10000];
size_t message_string_size;
message_string = calloc(10000, sizeof(char)); if ((message_string_size = xer_sprint(message_string, sizeof(message_string), &asn_DEF_UL_CCCH_Message, (void *)ul_ccch_msg)) > 0)
if (xer_sprint(message_string, &asn_DEF_UL_CCCH_Message, (void *)ul_ccch_msg) >= 0)
{ {
MessageDef *message_p; MessageDef *message_p;
size_t message_string_size;
message_string_size = strlen(message_string);
message_p = itti_alloc_new_message_sized (TASK_RRC_ENB, GENERIC_LOG, message_string_size); message_p = itti_alloc_new_message_sized (TASK_RRC_ENB, GENERIC_LOG, message_string_size);
memcpy(&message_p->ittiMsg.generic_log, message_string, message_string_size); memcpy(&message_p->ittiMsg.generic_log, message_string, message_string_size);
itti_send_msg_to_task(TASK_UNKNOWN, Mod_id, message_p); itti_send_msg_to_task(TASK_UNKNOWN, Mod_id, message_p);
free(message_string);
} }
} }
# endif # endif
...@@ -2731,22 +2726,17 @@ int rrc_eNB_decode_dcch (u8 Mod_id, u32 frame, u8 Srb_id, u8 UE_index, ...@@ -2731,22 +2726,17 @@ int rrc_eNB_decode_dcch (u8 Mod_id, u32 frame, u8 Srb_id, u8 UE_index,
} }
# else # else
{ {
char *message_string = NULL; char message_string[10000];
size_t message_string_size;
message_string = calloc(10000, sizeof(char)); if ((message_string_size = xer_sprint(message_string, sizeof(message_string), &asn_DEF_UL_DCCH_Message, (void *)ul_dcch_msg)) >= 0)
if (xer_sprint(message_string, &asn_DEF_UL_DCCH_Message, (void *)ul_dcch_msg) >= 0)
{ {
MessageDef *message_p; MessageDef *message_p;
size_t message_string_size;
message_string_size = strlen(message_string);
message_p = itti_alloc_new_message_sized (TASK_RRC_ENB, GENERIC_LOG, message_string_size); message_p = itti_alloc_new_message_sized (TASK_RRC_ENB, GENERIC_LOG, message_string_size);
memcpy(&message_p->ittiMsg.generic_log, message_string, message_string_size); memcpy(&message_p->ittiMsg.generic_log, message_string, message_string_size);
itti_send_msg_to_task(TASK_UNKNOWN, Mod_id, message_p); itti_send_msg_to_task(TASK_UNKNOWN, Mod_id, message_p);
free(message_string);
} }
} }
# endif # endif
...@@ -2796,30 +2786,21 @@ int rrc_eNB_decode_dcch (u8 Mod_id, u32 frame, u8 Srb_id, u8 UE_index, ...@@ -2796,30 +2786,21 @@ int rrc_eNB_decode_dcch (u8 Mod_id, u32 frame, u8 Srb_id, u8 UE_index,
rrcConnectionReconfigurationComplete.criticalExtensions. rrcConnectionReconfigurationComplete.criticalExtensions.
present == present ==
RRCConnectionReconfigurationComplete__criticalExtensions_PR_rrcConnectionReconfigurationComplete_r8) RRCConnectionReconfigurationComplete__criticalExtensions_PR_rrcConnectionReconfigurationComplete_r8)
{ {
rrc_eNB_process_RRCConnectionReconfigurationComplete (Mod_id, rrc_eNB_process_RRCConnectionReconfigurationComplete (Mod_id,
frame, frame,
UE_index, UE_index,
&ul_dcch_msg-> &ul_dcch_msg->
message. message.
choice.c1. choice.c1.
choice. choice.
rrcConnectionReconfigurationComplete. rrcConnectionReconfigurationComplete.
criticalExtensions. criticalExtensions.
choice. choice.
rrcConnectionReconfigurationComplete_r8); rrcConnectionReconfigurationComplete_r8);
eNB_rrc_inst[Mod_id].Info.UE[UE_index].Status = RRC_RECONFIGURED; eNB_rrc_inst[Mod_id].Info.UE[UE_index].Status = RRC_RECONFIGURED;
LOG_I (RRC, "[eNB %d] UE %d State = RRC_RECONFIGURED \n", LOG_I (RRC, "[eNB %d] UE %d State = RRC_RECONFIGURED \n",
Mod_id, UE_index); Mod_id, UE_index);
#if defined(ENABLE_USE_MME)
if (EPC_MODE_ENABLED == 1)
{
# if defined(ENABLE_ITTI)
eNB_rrc_inst[Mod_id].Info.UE[UE_index].e_rab[eNB_rrc_inst[Mod_id].Info.UE[UE_index].index_of_e_rabs - 1].status = E_RAB_STATUS_DONE;
}
# endif
#endif
} }
#if defined(ENABLE_USE_MME) #if defined(ENABLE_USE_MME)
...@@ -2828,28 +2809,7 @@ int rrc_eNB_decode_dcch (u8 Mod_id, u32 frame, u8 Srb_id, u8 UE_index, ...@@ -2828,28 +2809,7 @@ int rrc_eNB_decode_dcch (u8 Mod_id, u32 frame, u8 Srb_id, u8 UE_index,
# if defined(ENABLE_ITTI) # if defined(ENABLE_ITTI)
eNB_RRC_UE_INFO *UE_info = &eNB_rrc_inst[Mod_id].Info.UE[UE_index]; eNB_RRC_UE_INFO *UE_info = &eNB_rrc_inst[Mod_id].Info.UE[UE_index];
/* Process e RAB parameters received from S1AP one by one (the previous one is completed, eventually process the next one) */ rrc_eNB_send_S1AP_INITIAL_CONTEXT_SETUP_RESP (Mod_id, UE_index);
if (UE_info->nb_of_e_rabs > 0)
{
/* Process e RAB configuration from S1AP initial_context_setup_req */
rrc_eNB_generate_defaultRRCConnectionReconfiguration (Mod_id, frame,
UE_index,
UE_info->e_rab[UE_info->index_of_e_rabs].param.nas_pdu.buffer,
UE_info->e_rab[UE_info->index_of_e_rabs].param.nas_pdu.length,
eNB_rrc_inst[Mod_id].HO_flag);
/* Free the NAS PDU buffer and invalidate it */
if (UE_info->e_rab[UE_info->index_of_e_rabs].param.nas_pdu.buffer != NULL)
{
free (UE_info->e_rab[UE_info->index_of_e_rabs].param.nas_pdu.buffer);
}
UE_info->e_rab[UE_info->index_of_e_rabs].param.nas_pdu.buffer = NULL;
UE_info->nb_of_e_rabs --;
UE_info->index_of_e_rabs ++;
}
else
{
rrc_eNB_send_S1AP_INITIAL_CONTEXT_SETUP_RESP (Mod_id, UE_index);
}
# endif # endif
} }
#endif #endif
......
openair2/RRC/LITE/rrc_eNB_S1AP.c
View file @ 9999403e
...@@ -400,10 +400,13 @@ int rrc_eNB_process_S1AP_INITIAL_CONTEXT_SETUP_REQ(MessageDef *msg_p, const char ...@@ -400,10 +400,13 @@ int rrc_eNB_process_S1AP_INITIAL_CONTEXT_SETUP_REQ(MessageDef *msg_p, const char
/* TODO parameters yet to process ... */ /* TODO parameters yet to process ... */
{ {
S1AP_INITIAL_CONTEXT_SETUP_REQ(msg_p).ue_ambr; S1AP_INITIAL_CONTEXT_SETUP_REQ(msg_p).ue_ambr;
S1AP_INITIAL_CONTEXT_SETUP_REQ(msg_p).security_capabilities.encryption_algorithms;
S1AP_INITIAL_CONTEXT_SETUP_REQ(msg_p).security_capabilities.integrity_algorithms;
S1AP_INITIAL_CONTEXT_SETUP_REQ(msg_p).security_key; S1AP_INITIAL_CONTEXT_SETUP_REQ(msg_p).security_key;
} }
/* Save security parameters, assuming S1AP and RRC are using the same coding for all configuration */
eNB_rrc_inst[instance].ciphering_algorithm[ue_index] =
S1AP_INITIAL_CONTEXT_SETUP_REQ(msg_p).security_capabilities.encryption_algorithms;
eNB_rrc_inst[instance].ciphering_algorithm[ue_index] =
S1AP_INITIAL_CONTEXT_SETUP_REQ(msg_p).security_capabilities.integrity_algorithms;
{ {
uint8_t send_security_mode_command = TRUE; uint8_t send_security_mode_command = TRUE;
...@@ -451,13 +454,21 @@ int rrc_eNB_process_S1AP_UE_CTXT_MODIFICATION_REQ(MessageDef *msg_p, const char ...@@ -451,13 +454,21 @@ int rrc_eNB_process_S1AP_UE_CTXT_MODIFICATION_REQ(MessageDef *msg_p, const char
if (S1AP_UE_CTXT_MODIFICATION_REQ(msg_p).present & S1AP_UE_CONTEXT_MODIFICATION_SECURITY_KEY) { if (S1AP_UE_CTXT_MODIFICATION_REQ(msg_p).present & S1AP_UE_CONTEXT_MODIFICATION_SECURITY_KEY) {
S1AP_UE_CTXT_MODIFICATION_REQ(msg_p).security_key; S1AP_UE_CTXT_MODIFICATION_REQ(msg_p).security_key;
} }
if (S1AP_UE_CTXT_MODIFICATION_REQ(msg_p).present & S1AP_UE_CONTEXT_MODIFICATION_UE_AMBR) { if (S1AP_UE_CTXT_MODIFICATION_REQ(msg_p).present & S1AP_UE_CONTEXT_MODIFICATION_UE_AMBR) {
S1AP_UE_CTXT_MODIFICATION_REQ(msg_p).ue_ambr; S1AP_UE_CTXT_MODIFICATION_REQ(msg_p).ue_ambr;
} }
if (S1AP_UE_CTXT_MODIFICATION_REQ(msg_p).present & S1AP_UE_CONTEXT_MODIFICATION_UE_SECU_CAP) { }
S1AP_UE_CTXT_MODIFICATION_REQ(msg_p).security_capabilities.encryption_algorithms;
S1AP_UE_CTXT_MODIFICATION_REQ(msg_p).security_capabilities.integrity_algorithms; if (S1AP_UE_CTXT_MODIFICATION_REQ(msg_p).present & S1AP_UE_CONTEXT_MODIFICATION_UE_SECU_CAP) {
} /* Save security parameters, assuming S1AP and RRC are using the same coding for all configuration */
eNB_rrc_inst[instance].ciphering_algorithm[ue_index] =
S1AP_UE_CTXT_MODIFICATION_REQ(msg_p).security_capabilities.encryption_algorithms;
eNB_rrc_inst[instance].ciphering_algorithm[ue_index] =
S1AP_UE_CTXT_MODIFICATION_REQ(msg_p).security_capabilities.integrity_algorithms;
/* transmit the new security parameters to UE */
rrc_eNB_generate_SecurityModeCommand (instance, 0 /* TODO put frame number ! */, ue_index);
} }
/* Send the response */ /* Send the response */
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment