From 0b127fa8c79ae16ad8ba88c6d928f711dd9833ed Mon Sep 17 00:00:00 2001 From: faluco Date: Mon, 21 Sep 2020 12:22:47 +0200 Subject: [PATCH] - Fixed several errors that could sent uninitialized data through the network. --- srsepc/hdr/mme/mme_gtpc.h | 1 - srsepc/src/mme/mme_gtpc.cc | 24 ++++++++++++------------ srsepc/src/mme/nas.cc | 1 + srsepc/src/spgw/gtpc.cc | 21 ++++++++++++--------- 4 files changed, 25 insertions(+), 22 deletions(-) diff --git a/srsepc/hdr/mme/mme_gtpc.h b/srsepc/hdr/mme/mme_gtpc.h index fc3da8305..9d4b669ac 100644 --- a/srsepc/hdr/mme/mme_gtpc.h +++ b/srsepc/hdr/mme/mme_gtpc.h @@ -74,7 +74,6 @@ private: int m_s11; struct sockaddr_un m_mme_addr, m_spgw_addr; - in_addr_t m_mme_gtpc_ip; bool init_s11(); uint32_t get_new_ctrl_teid(); diff --git a/srsepc/src/mme/mme_gtpc.cc b/srsepc/src/mme/mme_gtpc.cc index 7a65492ea..b7d548ace 100644 --- a/srsepc/src/mme/mme_gtpc.cc +++ b/srsepc/src/mme/mme_gtpc.cc @@ -137,13 +137,11 @@ bool mme_gtpc::send_create_session_request(uint64_t imsi) { m_mme_gtpc_log->info("Sending Create Session Request.\n"); m_mme_gtpc_log->console("Sending Create Session Request.\n"); - struct srslte::gtpc_pdu cs_req_pdu; - struct srslte::gtpc_create_session_request* cs_req = &cs_req_pdu.choice.create_session_request; - - struct srslte::gtpc_pdu cs_resp_pdu; - + struct srslte::gtpc_pdu cs_req_pdu; // Initialize GTP-C message to zero - bzero(&cs_req_pdu, sizeof(struct srslte::gtpc_pdu)); + std::memset(&cs_req_pdu, 0, sizeof(cs_req_pdu)); + + struct srslte::gtpc_create_session_request* cs_req = &cs_req_pdu.choice.create_session_request; // Setup GTP-C Header. TODO: Length, sequence and other fields need to be added. cs_req_pdu.header.piggyback = false; @@ -155,7 +153,6 @@ bool mme_gtpc::send_create_session_request(uint64_t imsi) cs_req->imsi = imsi; // Control TEID allocated cs_req->sender_f_teid.teid = get_new_ctrl_teid(); - cs_req->sender_f_teid.ipv4 = m_mme_gtpc_ip; m_mme_gtpc_log->info("Next MME control TEID: %d\n", m_next_ctrl_teid); m_mme_gtpc_log->info("Allocated MME control TEID: %d\n", cs_req->sender_f_teid.teid); @@ -194,7 +191,7 @@ bool mme_gtpc::send_create_session_request(uint64_t imsi) // Save GTP-C context gtpc_ctx_t gtpc_ctx; - bzero(>pc_ctx, sizeof(gtpc_ctx_t)); + std::memset(>pc_ctx, 0, sizeof(gtpc_ctx_t)); gtpc_ctx.mme_ctr_fteid = cs_req->sender_f_teid; m_imsi_to_gtpc_ctx.insert(std::pair(imsi, gtpc_ctx)); @@ -293,6 +290,7 @@ bool mme_gtpc::send_modify_bearer_request(uint64_t imsi, uint16_t erab_to_modify { m_mme_gtpc_log->info("Sending GTP-C Modify bearer request\n"); srslte::gtpc_pdu mb_req_pdu; + std::memset(&mb_req_pdu, 0, sizeof(mb_req_pdu)); std::map::iterator it = m_imsi_to_gtpc_ctx.find(imsi); if (it == m_imsi_to_gtpc_ctx.end()) { @@ -340,7 +338,8 @@ void mme_gtpc::handle_modify_bearer_response(srslte::gtpc_pdu* mb_resp_pdu) bool mme_gtpc::send_delete_session_request(uint64_t imsi) { m_mme_gtpc_log->info("Sending GTP-C Delete Session Request request. IMSI %" PRIu64 "\n", imsi); - srslte::gtpc_pdu del_req_pdu; + srslte::gtpc_pdu del_req_pdu; + std::memset(&del_req_pdu, 0, sizeof(del_req_pdu)); srslte::gtp_fteid_t sgw_ctr_fteid; srslte::gtp_fteid_t mme_ctr_fteid; @@ -380,7 +379,8 @@ void mme_gtpc::send_release_access_bearers_request(uint64_t imsi) { // The GTP-C connection will not be torn down, just the user plane bearers. m_mme_gtpc_log->info("Sending GTP-C Release Access Bearers Request\n"); - srslte::gtpc_pdu rel_req_pdu; + srslte::gtpc_pdu rel_req_pdu; + std::memset(&rel_req_pdu, 0, sizeof(rel_req_pdu)); srslte::gtp_fteid_t sgw_ctr_fteid; // Get S-GW Ctr TEID @@ -432,7 +432,7 @@ void mme_gtpc::send_downlink_data_notification_acknowledge(uint64_t imsi, enum s m_mme_gtpc_log->debug("Sending GTP-C Data Notification Acknowledge. Cause %d\n", cause); srslte::gtpc_pdu not_ack_pdu; srslte::gtp_fteid_t sgw_ctr_fteid; - bzero(¬_ack_pdu, sizeof(srslte::gtpc_pdu)); + std::memset(¬_ack_pdu, 0, sizeof(not_ack_pdu)); // get s-gw ctr teid std::map::iterator it_ctx = m_imsi_to_gtpc_ctx.find(imsi); @@ -462,7 +462,7 @@ bool mme_gtpc::send_downlink_data_notification_failure_indication(uint64_t imsi, m_mme_gtpc_log->debug("Sending GTP-C Data Notification Failure Indication. Cause %d\n", cause); srslte::gtpc_pdu not_fail_pdu; srslte::gtp_fteid_t sgw_ctr_fteid; - bzero(¬_fail_pdu, sizeof(srslte::gtpc_pdu)); + std::memset(¬_fail_pdu, 0, sizeof(not_fail_pdu)); // get s-gw ctr teid std::map::iterator it_ctx = m_imsi_to_gtpc_ctx.find(imsi); diff --git a/srsepc/src/mme/nas.cc b/srsepc/src/mme/nas.cc index c511fbdc0..6e325e853 100644 --- a/srsepc/src/mme/nas.cc +++ b/srsepc/src/mme/nas.cc @@ -1023,6 +1023,7 @@ bool nas::handle_attach_complete(srslte::byte_buffer_t* nas_rx) srslte::byte_buffer_t* nas_tx; // Get NAS authentication response + std::memset(&attach_comp, 0, sizeof(attach_comp)); LIBLTE_ERROR_ENUM err = liblte_mme_unpack_attach_complete_msg((LIBLTE_BYTE_MSG_STRUCT*)nas_rx, &attach_comp); if (err != LIBLTE_SUCCESS) { m_nas_log->error("Error unpacking NAS authentication response. Error: %s\n", liblte_error_text[err]); diff --git a/srsepc/src/spgw/gtpc.cc b/srsepc/src/spgw/gtpc.cc index 379aedefd..a2e2eb041 100644 --- a/srsepc/src/spgw/gtpc.cc +++ b/srsepc/src/spgw/gtpc.cc @@ -21,6 +21,7 @@ #include "srsepc/hdr/spgw/gtpc.h" #include +#include #include #include // for printing uint64_t #include @@ -200,9 +201,10 @@ void spgw::gtpc::handle_create_session_request(const struct srslte::gtpc_create_ tunnel_ctx = create_gtpc_ctx(cs_req); // Create session response message - srslte::gtpc_pdu cs_resp_pdu = {}; - srslte::gtpc_header* header = &cs_resp_pdu.header; - srslte::gtpc_create_session_response* cs_resp = &cs_resp_pdu.choice.create_session_response; + srslte::gtpc_pdu cs_resp_pdu; + std::memset(&cs_resp_pdu, 0, sizeof(cs_resp_pdu)); + srslte::gtpc_header* header = &cs_resp_pdu.header; + srslte::gtpc_create_session_response* cs_resp = &cs_resp_pdu.choice.create_session_response; // Setup GTP-C header header->piggyback = false; @@ -211,7 +213,7 @@ void spgw::gtpc::handle_create_session_request(const struct srslte::gtpc_create_ header->type = srslte::GTPC_MSG_TYPE_CREATE_SESSION_RESPONSE; // Initialize to zero - bzero(cs_resp, sizeof(struct srslte::gtpc_create_session_response)); + std::memset(cs_resp, 0, sizeof(struct srslte::gtpc_create_session_response)); // Setup Cause cs_resp->cause.cause_value = srslte::GTPC_CAUSE_VALUE_REQUEST_ACCEPTED; // Setup sender F-TEID (ctrl) @@ -284,7 +286,8 @@ void spgw::gtpc::handle_modify_bearer_request(const struct srslte::gtpc_header& // Setting up Modify bearer response PDU // Header - srslte::gtpc_pdu mb_resp_pdu; + srslte::gtpc_pdu mb_resp_pdu; + std::memset(&mb_resp_pdu, 0, sizeof(mb_resp_pdu)); srslte::gtpc_header* header = &mb_resp_pdu.header; header->piggyback = false; header->teid_present = true; @@ -340,10 +343,10 @@ bool spgw::gtpc::send_downlink_data_notification(uint32_t spgw_ctr_teid) { m_gtpc_log->debug("Sending Downlink Notification Request\n"); - struct srslte::gtpc_pdu dl_not_pdu; + struct srslte::gtpc_pdu dl_not_pdu; + std::memset(&dl_not_pdu, 0, sizeof(dl_not_pdu)); struct srslte::gtpc_header* header = &dl_not_pdu.header; struct srslte::gtpc_downlink_data_notification* dl_not = &dl_not_pdu.choice.downlink_data_notification; - bzero(&dl_not_pdu, sizeof(struct srslte::gtpc_pdu)); // Find MME Ctrl TEID std::map::iterator tunnel_it = m_teid_to_tunnel_ctx.find(spgw_ctr_teid); @@ -454,7 +457,7 @@ spgw_tunnel_ctx_t* spgw::gtpc::create_gtpc_ctx(const struct srslte::gtpc_create_ m_gtpc_log->console("SPGW: Allocate UE IP %s\n", inet_ntoa(ue_ip_)); // Save the UE IP to User TEID map - spgw_tunnel_ctx_t* tunnel_ctx = new spgw_tunnel_ctx_t; + spgw_tunnel_ctx_t* tunnel_ctx = new spgw_tunnel_ctx_t{}; tunnel_ctx->imsi = cs_req.imsi; tunnel_ctx->ebi = default_bearer_id; @@ -465,7 +468,7 @@ spgw_tunnel_ctx_t* spgw::gtpc::create_gtpc_ctx(const struct srslte::gtpc_create_ tunnel_ctx->up_user_fteid.ipv4 = m_gtpu->get_s1u_addr(); tunnel_ctx->dw_ctrl_fteid.teid = cs_req.sender_f_teid.teid; tunnel_ctx->dw_ctrl_fteid.ipv4 = cs_req.sender_f_teid.ipv4; - bzero(&tunnel_ctx->dw_user_fteid, sizeof(srslte::gtp_fteid_t)); + std::memset(&tunnel_ctx->dw_user_fteid, 0, sizeof(srslte::gtp_fteid_t)); m_teid_to_tunnel_ctx.insert(std::pair(spgw_uplink_ctrl_teid, tunnel_ctx)); m_imsi_to_ctr_teid.insert(std::pair(cs_req.imsi, spgw_uplink_ctrl_teid));