From a4f0ecba3648fb4bdad048090f4eb946179c0f54 Mon Sep 17 00:00:00 2001 From: faluco Date: Mon, 21 Sep 2020 10:45:55 +0200 Subject: [PATCH] - Fixed a heap corruption where recvfrom could write past the buffer end. --- srsepc/src/mme/mme.cc | 2 +- srsepc/src/mme/mme_gtpc.cc | 1 - srsepc/src/spgw/gtpc.cc | 6 +++--- 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/srsepc/src/mme/mme.cc b/srsepc/src/mme/mme.cc index 9a9d7a654..a06461932 100644 --- a/srsepc/src/mme/mme.cc +++ b/srsepc/src/mme/mme.cc @@ -170,7 +170,7 @@ void mme::run_thread() } // Handle S11 if (FD_ISSET(s11, &m_set)) { - pdu->N_bytes = recvfrom(s11, pdu->msg, SRSLTE_MAX_BUFFER_SIZE_BYTES, 0, NULL, NULL); + pdu->N_bytes = recvfrom(s11, pdu->msg, sz, 0, NULL, NULL); m_mme_gtpc->handle_s11_pdu(pdu); } // Handle NAS Timers diff --git a/srsepc/src/mme/mme_gtpc.cc b/srsepc/src/mme/mme_gtpc.cc index 90636dfa4..7a65492ea 100644 --- a/srsepc/src/mme/mme_gtpc.cc +++ b/srsepc/src/mme/mme_gtpc.cc @@ -146,7 +146,6 @@ bool mme_gtpc::send_create_session_request(uint64_t imsi) bzero(&cs_req_pdu, sizeof(struct srslte::gtpc_pdu)); // Setup GTP-C Header. TODO: Length, sequence and other fields need to be added. - cs_req_pdu.union_field_size = sizeof(srslte::gtpc_create_session_request); cs_req_pdu.header.piggyback = false; cs_req_pdu.header.teid_present = true; cs_req_pdu.header.teid = 0; // Send create session request to the butler TEID diff --git a/srsepc/src/spgw/gtpc.cc b/srsepc/src/spgw/gtpc.cc index f1c7db019..379aedefd 100644 --- a/srsepc/src/spgw/gtpc.cc +++ b/srsepc/src/spgw/gtpc.cc @@ -200,9 +200,9 @@ void spgw::gtpc::handle_create_session_request(const struct srslte::gtpc_create_ tunnel_ctx = create_gtpc_ctx(cs_req); // Create session response message - srslte::gtpc_pdu cs_resp_pdu; - srslte::gtpc_header* header = &cs_resp_pdu.header; - srslte::gtpc_create_session_response* cs_resp = &cs_resp_pdu.choice.create_session_response; + srslte::gtpc_pdu cs_resp_pdu = {}; + srslte::gtpc_header* header = &cs_resp_pdu.header; + srslte::gtpc_create_session_response* cs_resp = &cs_resp_pdu.choice.create_session_response; // Setup GTP-C header header->piggyback = false;