Check integrity_generate msg_size parameter

master
Ismael Gomez 7 years ago
parent 2d9c101027
commit f4243656c9

@ -345,30 +345,38 @@ void nas::integrity_generate(uint8_t *key_128,
bool nas::integrity_check(byte_buffer_t *pdu)
{
uint8_t exp_mac[4];
uint8_t *mac = &pdu->msg[1];
int i;
if (!pdu) {
nas_log->error("Invalid PDU\n");
return NULL;
}
if (pdu->N_bytes > 5) {
uint8_t exp_mac[4];
uint8_t *mac = &pdu->msg[1];
int i;
integrity_generate(&k_nas_int[16],
ctxt.rx_count,
SECURITY_DIRECTION_DOWNLINK,
&pdu->msg[5],
pdu->N_bytes-5,
&exp_mac[0]);
// Check if expected mac equals the sent mac
for(i=0; i<4; i++){
if(exp_mac[i] != mac[i]){
nas_log->warning("Integrity check failure. Local: count=%d, [%02x %02x %02x %02x], "
"Received: count=%d, [%02x %02x %02x %02x]\n",
ctxt.rx_count, exp_mac[0], exp_mac[1], exp_mac[2], exp_mac[3],
pdu->msg[5], mac[0], mac[1], mac[2], mac[3]);
return false;
integrity_generate(&k_nas_int[16],
ctxt.rx_count,
SECURITY_DIRECTION_DOWNLINK,
&pdu->msg[5],
pdu->N_bytes-5,
&exp_mac[0]);
// Check if expected mac equals the sent mac
for(i=0; i<4; i++){
if(exp_mac[i] != mac[i]){
nas_log->warning("Integrity check failure. Local: count=%d, [%02x %02x %02x %02x], "
"Received: count=%d, [%02x %02x %02x %02x]\n",
ctxt.rx_count, exp_mac[0], exp_mac[1], exp_mac[2], exp_mac[3],
pdu->msg[5], mac[0], mac[1], mac[2], mac[3]);
return false;
}
}
nas_log->info("Integrity check ok. Local: count=%d, Received: count=%d\n",
ctxt.rx_count, pdu->msg[5]);
return true;
} else {
nas_log->error("Invalid integrity check PDU size (%d)\n", pdu->N_bytes);
}
nas_log->info("Integrity check ok. Local: count=%d, Received: count=%d\n",
ctxt.rx_count, pdu->msg[5]);
return true;
}
void nas::cipher_encrypt(byte_buffer_t *pdu)
@ -454,6 +462,17 @@ bool nas::check_cap_replay(LIBLTE_MME_UE_SECURITY_CAPABILITIES_STRUCT *caps)
******************************************************************************/
void nas::parse_attach_accept(uint32_t lcid, byte_buffer_t *pdu) {
if (!pdu) {
nas_log->error("Invalid PDU\n");
return;
}
if (pdu->N_bytes <= 5) {
nas_log->error("Invalid attach accept PDU size (%d)\n", pdu->N_bytes);
return;
}
LIBLTE_MME_ATTACH_ACCEPT_MSG_STRUCT attach_accept;
LIBLTE_MME_ACTIVATE_DEFAULT_EPS_BEARER_CONTEXT_REQUEST_MSG_STRUCT act_def_eps_bearer_context_req;
LIBLTE_MME_ATTACH_COMPLETE_MSG_STRUCT attach_complete;
@ -679,6 +698,17 @@ void nas::parse_identity_request(uint32_t lcid, byte_buffer_t *pdu) {
void nas::parse_security_mode_command(uint32_t lcid, byte_buffer_t *pdu)
{
if (!pdu) {
nas_log->error("Invalid PDU\n");
return;
}
if (pdu->N_bytes <= 5) {
nas_log->error("Invalid security mode command PDU size (%d)\n", pdu->N_bytes);
return;
}
LIBLTE_MME_SECURITY_MODE_COMMAND_MSG_STRUCT sec_mode_cmd;
LIBLTE_MME_SECURITY_MODE_COMPLETE_MSG_STRUCT sec_mode_comp;
@ -808,6 +838,8 @@ void nas::parse_emm_information(uint32_t lcid, byte_buffer_t *pdu) {
******************************************************************************/
void nas::send_attach_request() {
LIBLTE_MME_ATTACH_REQUEST_MSG_STRUCT attach_req;
byte_buffer_t *msg = pool_allocate;
if (!msg) {
@ -861,12 +893,16 @@ void nas::send_attach_request() {
(LIBLTE_BYTE_MSG_STRUCT *) msg);
// Add MAC
integrity_generate(&k_nas_int[16],
ctxt.tx_count,
SECURITY_DIRECTION_UPLINK,
&msg->msg[5],
msg->N_bytes - 5,
&msg->msg[1]);
if (msg->N_bytes > 5) {
integrity_generate(&k_nas_int[16],
ctxt.tx_count,
SECURITY_DIRECTION_UPLINK,
&msg->msg[5],
msg->N_bytes - 5,
&msg->msg[1]);
} else {
nas_log->error("Invalid PDU size %d\n", msg->N_bytes);
}
} else {
attach_req.eps_mobile_id.type_of_id = LIBLTE_MME_EPS_MOBILE_ID_TYPE_IMSI;
usim->get_imsi_vec(attach_req.eps_mobile_id.imsi, 15);

Loading…
Cancel
Save