Commit 9999403e authored by winckel's avatar winckel

Modified "xer_sprint" to avoid string buffer overflow.

Added transmission of security parameters from S1AP to lower layers.

git-svn-id: http://svn.eurecom.fr/openair4G/trunk@4524 818b1a75-f10b-46b9-bf7c-635c3b92a50f
parent 1785e31f
......@@ -103,6 +103,13 @@ int errno;
#define msg printf
#endif
typedef struct xer_sprint_string_s
{
char *string;
size_t string_size;
size_t string_index;
} xer_sprint_string_t;
extern unsigned char NB_eNB_INST;
uint16_t two_tier_hexagonal_cellIds[7] = {0,1,2,4,5,7,8};
......@@ -120,22 +127,39 @@ uint16_t two_tier_hexagonal_adjacent_cellIds[7][6] = {{1,2,4,5,7,8}, // CellI
*/
static int xer__print2s (const void *buffer, size_t size, void *app_key)
{
char *string = (char *) app_key;
xer_sprint_string_t *string_buffer = (xer_sprint_string_t *) app_key;
size_t string_remaining = string_buffer->string_size - string_buffer->string_index;
strncat(string, buffer, size);
if (string_remaining > 0)
{
if (size > string_remaining)
{
size = string_remaining;
}
memcpy(&string_buffer->string[string_buffer->string_index], buffer, size);
string_buffer->string_index += size;
}
return 0;
}
int xer_sprint (char *string, asn_TYPE_descriptor_t *td, void *sptr)
int xer_sprint (char *string, size_t string_size, asn_TYPE_descriptor_t *td, void *sptr)
{
asn_enc_rval_t er;
xer_sprint_string_t string_buffer;
er = xer_encode(td, sptr, XER_F_BASIC, xer__print2s, string);
if (er.encoded == -1)
return -1;
string_buffer.string = string;
string_buffer.string_size = string_size;
string_buffer.string_index = 0;
return 0;
er = xer_encode(td, sptr, XER_F_BASIC, xer__print2s, &string_buffer);
if (er.encoded > string_buffer.string_size)
{
LOG_E(RRC, "xer_sprint string buffer too small, got %d need %d!", string_buffer.string_size, er.encoded);
er.encoded = string_buffer.string_size;
}
return er.encoded;
}
uint16_t get_adjacent_cell_id(uint8_t Mod_id,uint8_t index) {
......@@ -2016,22 +2040,17 @@ OAI_UECapability_t *fill_ue_capability() {
}
# else
{
char *message_string = NULL;
message_string = calloc(10000, sizeof(char));
char message_string[10000];
size_t message_string_size;
if (xer_sprint(message_string, &asn_DEF_UE_EUTRA_Capability, (void *)UE_EUTRA_Capability) >= 0)
if ((message_string_size = xer_sprint(message_string, sizeof(message_string), &asn_DEF_UE_EUTRA_Capability, (void *)UE_EUTRA_Capability)) > 0)
{
MessageDef *message_p;
size_t message_string_size;
message_string_size = strlen(message_string);
message_p = itti_alloc_new_message_sized (TASK_RRC_UE, GENERIC_LOG, message_string_size);
memcpy(&message_p->ittiMsg.generic_log, message_string, message_string_size);
itti_send_msg_to_task(TASK_UNKNOWN, INSTANCE_DEFAULT, message_p);
free(message_string);
}
}
# endif
......
......@@ -61,7 +61,7 @@
* -1: Problem printing the structure.
* WARNING: No sensible errno value is returned.
*/
int xer_sprint(char *string, struct asn_TYPE_descriptor_s *td, void *sptr);
int xer_sprint(char *string, size_t string_size, struct asn_TYPE_descriptor_s *td, void *sptr);
uint16_t get_adjacent_cell_id(uint8_t Mod_id,uint8_t index);
......
......@@ -343,22 +343,17 @@ int rrc_ue_decode_ccch(u8 Mod_id, u32 frame, SRB_INFO *Srb_info, u8 eNB_index){
}
# else
{
char *message_string = NULL;
message_string = calloc(10000, sizeof(char));
char message_string[10000];
size_t message_string_size;
if (xer_sprint(message_string, &asn_DEF_DL_CCCH_Message, (void *)dl_ccch_msg) >= 0)
if ((message_string_size = xer_sprint(message_string, sizeof(message_string), &asn_DEF_DL_CCCH_Message, (void *)dl_ccch_msg)) > 0)
{
MessageDef *message_p;
size_t message_string_size;
message_string_size = strlen(message_string);
message_p = itti_alloc_new_message_sized (TASK_RRC_UE, GENERIC_LOG, message_string_size);
memcpy(&message_p->ittiMsg.generic_log, message_string, message_string_size);
itti_send_msg_to_task(TASK_UNKNOWN, Mod_id + NB_eNB_INST, message_p);
free(message_string);
}
}
# endif
......@@ -1378,22 +1373,17 @@ void rrc_ue_decode_dcch(u8 Mod_id,u32 frame,u8 Srb_id, u8 *Buffer,u8 eNB_index)
}
# else
{
char *message_string = NULL;
message_string = calloc(20000, sizeof(char));
char message_string[20000];
size_t message_string_size;
if (xer_sprint(message_string, &asn_DEF_DL_DCCH_Message, (void *)dl_dcch_msg) >= 0)
if ((message_string_size = xer_sprint(message_string, sizeof(message_string), &asn_DEF_DL_DCCH_Message, (void *)dl_dcch_msg)) > 0)
{
MessageDef *message_p;
size_t message_string_size;
message_string_size = strlen(message_string);
message_p = itti_alloc_new_message_sized (TASK_RRC_UE, GENERIC_LOG, message_string_size);
memcpy(&message_p->ittiMsg.generic_log, message_string, message_string_size);
itti_send_msg_to_task(TASK_UNKNOWN, Mod_id + NB_eNB_INST, message_p);
free(message_string);
}
}
# endif
......@@ -1593,22 +1583,17 @@ int decode_BCCH_DLSCH_Message(u8 Mod_id,u32 frame,u8 eNB_index,u8 *Sdu,u8 Sdu_le
}
# else
{
char *message_string = NULL;
message_string = calloc(10000, sizeof(char));
char message_string[15000];
size_t message_string_size;
if (xer_sprint(message_string, &asn_DEF_BCCH_DL_SCH_Message, (void *)bcch_message) >= 0)
if ((message_string_size = xer_sprint(message_string, sizeof(message_string), &asn_DEF_BCCH_DL_SCH_Message, (void *)bcch_message)) > 0)
{
MessageDef *message_p;
size_t message_string_size;
message_string_size = strlen(message_string);
message_p = itti_alloc_new_message_sized (TASK_RRC_UE, GENERIC_LOG, message_string_size);
memcpy(&message_p->ittiMsg.generic_log, message_string, message_string_size);
itti_send_msg_to_task(TASK_UNKNOWN, Mod_id + NB_eNB_INST, message_p);
free(message_string);
}
}
# endif
......
......@@ -2514,22 +2514,17 @@ int rrc_eNB_decode_ccch (u8 Mod_id, u32 frame, SRB_INFO * Srb_info)
}
# else
{
char *message_string = NULL;
message_string = calloc(10000, sizeof(char));
char message_string[10000];
size_t message_string_size;
if (xer_sprint(message_string, &asn_DEF_UL_CCCH_Message, (void *)ul_ccch_msg) >= 0)
if ((message_string_size = xer_sprint(message_string, sizeof(message_string), &asn_DEF_UL_CCCH_Message, (void *)ul_ccch_msg)) > 0)
{
MessageDef *message_p;
size_t message_string_size;
message_string_size = strlen(message_string);
message_p = itti_alloc_new_message_sized (TASK_RRC_ENB, GENERIC_LOG, message_string_size);
memcpy(&message_p->ittiMsg.generic_log, message_string, message_string_size);
itti_send_msg_to_task(TASK_UNKNOWN, Mod_id, message_p);
free(message_string);
}
}
# endif
......@@ -2731,22 +2726,17 @@ int rrc_eNB_decode_dcch (u8 Mod_id, u32 frame, u8 Srb_id, u8 UE_index,
}
# else
{
char *message_string = NULL;
message_string = calloc(10000, sizeof(char));
char message_string[10000];
size_t message_string_size;
if (xer_sprint(message_string, &asn_DEF_UL_DCCH_Message, (void *)ul_dcch_msg) >= 0)
if ((message_string_size = xer_sprint(message_string, sizeof(message_string), &asn_DEF_UL_DCCH_Message, (void *)ul_dcch_msg)) >= 0)
{
MessageDef *message_p;
size_t message_string_size;
message_string_size = strlen(message_string);
message_p = itti_alloc_new_message_sized (TASK_RRC_ENB, GENERIC_LOG, message_string_size);
memcpy(&message_p->ittiMsg.generic_log, message_string, message_string_size);
itti_send_msg_to_task(TASK_UNKNOWN, Mod_id, message_p);
free(message_string);
}
}
# endif
......@@ -2811,15 +2801,6 @@ int rrc_eNB_decode_dcch (u8 Mod_id, u32 frame, u8 Srb_id, u8 UE_index,
eNB_rrc_inst[Mod_id].Info.UE[UE_index].Status = RRC_RECONFIGURED;
LOG_I (RRC, "[eNB %d] UE %d State = RRC_RECONFIGURED \n",
Mod_id, UE_index);
#if defined(ENABLE_USE_MME)
if (EPC_MODE_ENABLED == 1)
{
# if defined(ENABLE_ITTI)
eNB_rrc_inst[Mod_id].Info.UE[UE_index].e_rab[eNB_rrc_inst[Mod_id].Info.UE[UE_index].index_of_e_rabs - 1].status = E_RAB_STATUS_DONE;
}
# endif
#endif
}
#if defined(ENABLE_USE_MME)
......@@ -2828,28 +2809,7 @@ int rrc_eNB_decode_dcch (u8 Mod_id, u32 frame, u8 Srb_id, u8 UE_index,
# if defined(ENABLE_ITTI)
eNB_RRC_UE_INFO *UE_info = &eNB_rrc_inst[Mod_id].Info.UE[UE_index];
/* Process e RAB parameters received from S1AP one by one (the previous one is completed, eventually process the next one) */
if (UE_info->nb_of_e_rabs > 0)
{
/* Process e RAB configuration from S1AP initial_context_setup_req */
rrc_eNB_generate_defaultRRCConnectionReconfiguration (Mod_id, frame,
UE_index,
UE_info->e_rab[UE_info->index_of_e_rabs].param.nas_pdu.buffer,
UE_info->e_rab[UE_info->index_of_e_rabs].param.nas_pdu.length,
eNB_rrc_inst[Mod_id].HO_flag);
/* Free the NAS PDU buffer and invalidate it */
if (UE_info->e_rab[UE_info->index_of_e_rabs].param.nas_pdu.buffer != NULL)
{
free (UE_info->e_rab[UE_info->index_of_e_rabs].param.nas_pdu.buffer);
}
UE_info->e_rab[UE_info->index_of_e_rabs].param.nas_pdu.buffer = NULL;
UE_info->nb_of_e_rabs --;
UE_info->index_of_e_rabs ++;
}
else
{
rrc_eNB_send_S1AP_INITIAL_CONTEXT_SETUP_RESP (Mod_id, UE_index);
}
# endif
}
#endif
......
......@@ -400,10 +400,13 @@ int rrc_eNB_process_S1AP_INITIAL_CONTEXT_SETUP_REQ(MessageDef *msg_p, const char
/* TODO parameters yet to process ... */
{
S1AP_INITIAL_CONTEXT_SETUP_REQ(msg_p).ue_ambr;
S1AP_INITIAL_CONTEXT_SETUP_REQ(msg_p).security_capabilities.encryption_algorithms;
S1AP_INITIAL_CONTEXT_SETUP_REQ(msg_p).security_capabilities.integrity_algorithms;
S1AP_INITIAL_CONTEXT_SETUP_REQ(msg_p).security_key;
}
/* Save security parameters, assuming S1AP and RRC are using the same coding for all configuration */
eNB_rrc_inst[instance].ciphering_algorithm[ue_index] =
S1AP_INITIAL_CONTEXT_SETUP_REQ(msg_p).security_capabilities.encryption_algorithms;
eNB_rrc_inst[instance].ciphering_algorithm[ue_index] =
S1AP_INITIAL_CONTEXT_SETUP_REQ(msg_p).security_capabilities.integrity_algorithms;
{
uint8_t send_security_mode_command = TRUE;
......@@ -451,13 +454,21 @@ int rrc_eNB_process_S1AP_UE_CTXT_MODIFICATION_REQ(MessageDef *msg_p, const char
if (S1AP_UE_CTXT_MODIFICATION_REQ(msg_p).present & S1AP_UE_CONTEXT_MODIFICATION_SECURITY_KEY) {
S1AP_UE_CTXT_MODIFICATION_REQ(msg_p).security_key;
}
if (S1AP_UE_CTXT_MODIFICATION_REQ(msg_p).present & S1AP_UE_CONTEXT_MODIFICATION_UE_AMBR) {
S1AP_UE_CTXT_MODIFICATION_REQ(msg_p).ue_ambr;
}
}
if (S1AP_UE_CTXT_MODIFICATION_REQ(msg_p).present & S1AP_UE_CONTEXT_MODIFICATION_UE_SECU_CAP) {
/* Save security parameters, assuming S1AP and RRC are using the same coding for all configuration */
eNB_rrc_inst[instance].ciphering_algorithm[ue_index] =
S1AP_UE_CTXT_MODIFICATION_REQ(msg_p).security_capabilities.encryption_algorithms;
eNB_rrc_inst[instance].ciphering_algorithm[ue_index] =
S1AP_UE_CTXT_MODIFICATION_REQ(msg_p).security_capabilities.integrity_algorithms;
}
/* transmit the new security parameters to UE */
rrc_eNB_generate_SecurityModeCommand (instance, 0 /* TODO put frame number ! */, ue_index);
}
/* Send the response */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment