From f4243656c913369b6d9acdcae0653862103c1626 Mon Sep 17 00:00:00 2001 From: Ismael Gomez Date: Wed, 21 Mar 2018 11:47:30 +0100 Subject: [PATCH] Check integrity_generate msg_size parameter --- srsue/src/upper/nas.cc | 90 +++++++++++++++++++++++++++++------------- 1 file changed, 63 insertions(+), 27 deletions(-) diff --git a/srsue/src/upper/nas.cc b/srsue/src/upper/nas.cc index 763515ea4..7069f4a23 100644 --- a/srsue/src/upper/nas.cc +++ b/srsue/src/upper/nas.cc @@ -345,30 +345,38 @@ void nas::integrity_generate(uint8_t *key_128, bool nas::integrity_check(byte_buffer_t *pdu) { - uint8_t exp_mac[4]; - uint8_t *mac = &pdu->msg[1]; - int i; + if (!pdu) { + nas_log->error("Invalid PDU\n"); + return NULL; + } + if (pdu->N_bytes > 5) { + uint8_t exp_mac[4]; + uint8_t *mac = &pdu->msg[1]; + int i; - integrity_generate(&k_nas_int[16], - ctxt.rx_count, - SECURITY_DIRECTION_DOWNLINK, - &pdu->msg[5], - pdu->N_bytes-5, - &exp_mac[0]); - - // Check if expected mac equals the sent mac - for(i=0; i<4; i++){ - if(exp_mac[i] != mac[i]){ - nas_log->warning("Integrity check failure. Local: count=%d, [%02x %02x %02x %02x], " - "Received: count=%d, [%02x %02x %02x %02x]\n", - ctxt.rx_count, exp_mac[0], exp_mac[1], exp_mac[2], exp_mac[3], - pdu->msg[5], mac[0], mac[1], mac[2], mac[3]); - return false; + integrity_generate(&k_nas_int[16], + ctxt.rx_count, + SECURITY_DIRECTION_DOWNLINK, + &pdu->msg[5], + pdu->N_bytes-5, + &exp_mac[0]); + + // Check if expected mac equals the sent mac + for(i=0; i<4; i++){ + if(exp_mac[i] != mac[i]){ + nas_log->warning("Integrity check failure. Local: count=%d, [%02x %02x %02x %02x], " + "Received: count=%d, [%02x %02x %02x %02x]\n", + ctxt.rx_count, exp_mac[0], exp_mac[1], exp_mac[2], exp_mac[3], + pdu->msg[5], mac[0], mac[1], mac[2], mac[3]); + return false; + } } + nas_log->info("Integrity check ok. Local: count=%d, Received: count=%d\n", + ctxt.rx_count, pdu->msg[5]); + return true; + } else { + nas_log->error("Invalid integrity check PDU size (%d)\n", pdu->N_bytes); } - nas_log->info("Integrity check ok. Local: count=%d, Received: count=%d\n", - ctxt.rx_count, pdu->msg[5]); - return true; } void nas::cipher_encrypt(byte_buffer_t *pdu) @@ -454,6 +462,17 @@ bool nas::check_cap_replay(LIBLTE_MME_UE_SECURITY_CAPABILITIES_STRUCT *caps) ******************************************************************************/ void nas::parse_attach_accept(uint32_t lcid, byte_buffer_t *pdu) { + + if (!pdu) { + nas_log->error("Invalid PDU\n"); + return; + } + + if (pdu->N_bytes <= 5) { + nas_log->error("Invalid attach accept PDU size (%d)\n", pdu->N_bytes); + return; + } + LIBLTE_MME_ATTACH_ACCEPT_MSG_STRUCT attach_accept; LIBLTE_MME_ACTIVATE_DEFAULT_EPS_BEARER_CONTEXT_REQUEST_MSG_STRUCT act_def_eps_bearer_context_req; LIBLTE_MME_ATTACH_COMPLETE_MSG_STRUCT attach_complete; @@ -679,6 +698,17 @@ void nas::parse_identity_request(uint32_t lcid, byte_buffer_t *pdu) { void nas::parse_security_mode_command(uint32_t lcid, byte_buffer_t *pdu) { + + if (!pdu) { + nas_log->error("Invalid PDU\n"); + return; + } + + if (pdu->N_bytes <= 5) { + nas_log->error("Invalid security mode command PDU size (%d)\n", pdu->N_bytes); + return; + } + LIBLTE_MME_SECURITY_MODE_COMMAND_MSG_STRUCT sec_mode_cmd; LIBLTE_MME_SECURITY_MODE_COMPLETE_MSG_STRUCT sec_mode_comp; @@ -808,6 +838,8 @@ void nas::parse_emm_information(uint32_t lcid, byte_buffer_t *pdu) { ******************************************************************************/ void nas::send_attach_request() { + + LIBLTE_MME_ATTACH_REQUEST_MSG_STRUCT attach_req; byte_buffer_t *msg = pool_allocate; if (!msg) { @@ -861,12 +893,16 @@ void nas::send_attach_request() { (LIBLTE_BYTE_MSG_STRUCT *) msg); // Add MAC - integrity_generate(&k_nas_int[16], - ctxt.tx_count, - SECURITY_DIRECTION_UPLINK, - &msg->msg[5], - msg->N_bytes - 5, - &msg->msg[1]); + if (msg->N_bytes > 5) { + integrity_generate(&k_nas_int[16], + ctxt.tx_count, + SECURITY_DIRECTION_UPLINK, + &msg->msg[5], + msg->N_bytes - 5, + &msg->msg[1]); + } else { + nas_log->error("Invalid PDU size %d\n", msg->N_bytes); + } } else { attach_req.eps_mobile_id.type_of_id = LIBLTE_MME_EPS_MOBILE_ID_TYPE_IMSI; usim->get_imsi_vec(attach_req.eps_mobile_id.imsi, 15);