summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHarald Welte <laforge@gnumonks.org>2019-08-31 21:25:05 +0200
committerHarald Welte <laforge@gnumonks.org>2019-08-31 21:27:57 +0200
commitf2210030440d71a56940e02822532977609a1d05 (patch)
tree21ddd946f75a23733970cb37914186708065d3ce
parentf89cbd0019393ed8aeefa8b633e330982c8ab126 (diff)
cbsp: Fix endless loop iteration when decoding cell list IEs
The CBSP code assumed that gsm0808_decode_cell_id_u() would return the number of bytes it has consumed/parsed. But it actually always returns '0', whcih makes us run in an endless loop :( Change-Id: I5758af4ec11a827d4b888a3a16c4ec22de90a7d6
-rw-r--r--include/osmocom/gsm/gsm0808_utils.h1
-rw-r--r--src/gsm/cbsp.c8
-rw-r--r--src/gsm/gsm0808_utils.c21
3 files changed, 26 insertions, 4 deletions
diff --git a/include/osmocom/gsm/gsm0808_utils.h b/include/osmocom/gsm/gsm0808_utils.h
index 76db2b6d..ccdf5ed9 100644
--- a/include/osmocom/gsm/gsm0808_utils.h
+++ b/include/osmocom/gsm/gsm0808_utils.h
@@ -95,6 +95,7 @@ void gsm0808_cell_id_from_cgi(struct gsm0808_cell_id *cid, enum CELL_IDENT id_di
int gsm0808_cell_id_to_cgi(struct osmo_cell_global_id *cgi, const struct gsm0808_cell_id *cid);
void gsm0808_msgb_put_cell_id_u(struct msgb *msg, enum CELL_IDENT id_discr, const union gsm0808_cell_id_u *u);
int gsm0808_decode_cell_id_u(union gsm0808_cell_id_u *out, enum CELL_IDENT discr, const uint8_t *buf, unsigned int len);
+int gsm0808_cell_id_size(enum CELL_IDENT discr);
uint8_t gsm0808_enc_cause(struct msgb *msg, uint16_t cause);
uint8_t gsm0808_enc_aoip_trasp_addr(struct msgb *msg,
diff --git a/src/gsm/cbsp.c b/src/gsm/cbsp.c
index 84b92358..c13be617 100644
--- a/src/gsm/cbsp.c
+++ b/src/gsm/cbsp.c
@@ -515,7 +515,7 @@ static int cbsp_decode_cell_list(struct osmo_cbsp_cell_list *cl, void *ctx,
osmo_cbsp_errstr = "cell list: error decoding cell_id_union";
return rc;
}
- cur += rc;
+ cur += gsm0808_cell_id_size(cl->id_discr);
llist_add_tail(&ent->list, &cl->list);
}
return 0;
@@ -538,7 +538,7 @@ static int cbsp_decode_fail_list(struct llist_head *fl, void *ctx,
osmo_cbsp_errstr = "fail list: error decoding cell_id_union";
return rc;
}
- cur += rc;
+ cur += gsm0808_cell_id_size(ent->id_discr);
ent->cause = *cur++;
llist_add_tail(&ent->list, fl);
}
@@ -562,7 +562,7 @@ static int cbsp_decode_loading_list(struct osmo_cbsp_loading_list *ll, void *ctx
osmo_cbsp_errstr = "load list: error decoding cell_id_union";
return rc;
}
- cur += rc;
+ cur += gsm0808_cell_id_size(ll->id_discr);
if (cur + 2 > buf + len) {
talloc_free(ent);
osmo_cbsp_errstr = "load list: truncated IE";
@@ -592,7 +592,7 @@ static int cbsp_decode_num_compl_list(struct osmo_cbsp_num_compl_list *cl, void
osmo_cbsp_errstr = "completed list: error decoding cell_id_union";
return rc;
}
- cur += rc;
+ cur += gsm0808_cell_id_size(cl->id_discr);
if (cur + 3 > buf + len) {
talloc_free(ent);
osmo_cbsp_errstr = "completed list: truncated IE";
diff --git a/src/gsm/gsm0808_utils.c b/src/gsm/gsm0808_utils.c
index 364a04fe..7416d8f5 100644
--- a/src/gsm/gsm0808_utils.c
+++ b/src/gsm/gsm0808_utils.c
@@ -767,6 +767,27 @@ int gsm0808_dec_encrypt_info(struct gsm0808_encrypt_info *ei,
return (int)(elem - old_elem);
}
+/* Return the size of the value part of a cell identifier of given type */
+int gsm0808_cell_id_size(enum CELL_IDENT discr)
+{
+ switch (discr) {
+ case CELL_IDENT_WHOLE_GLOBAL:
+ return 7;
+ case CELL_IDENT_LAC_AND_CI:
+ return 4;
+ case CELL_IDENT_CI:
+ return 2;
+ case CELL_IDENT_LAI_AND_LAC:
+ return 5;
+ case CELL_IDENT_LAC:
+ return 2;
+ case CELL_IDENT_BSS:
+ case CELL_IDENT_NO_CELL:
+ return 0;
+ default:
+ return -EINVAL;
+ }
+}
/*! Decode a single GSM 08.08 Cell ID list element payload
* \param[out] out caller-provided output union
* \param[in] discr Cell ID discriminator describing type to be decoded