paulmataruso/open5gs
1
0
Fork 0
mirror of https://github.com/open5gs/open5gs.git synced 2025-10-23 07:41:57 +00:00
Code Issues Packages Projects Releases Wiki Activity

[AMF/MME] Fix potential buffer overflow in ASCII-to-USC2 conversion

Browse Source 
In amf_context_parse_config(), update the loop condition to ensure that
((i * 2) + 1) remains below
(OGS_NAS_MAX_NETWORK_NAME_LEN - 1) before performing any writes.
This change prevents potential out-of-bounds memory writes during
the conversion of an ASCII string to USC-2, thereby fixing a buffer
overflow issue.

This issue was observed on Ubuntu 25.04 and reported in the osmocom
nightly package.
This commit is contained in:
Sukchan Lee
2025-04-13 06:55:22 +00:00
parent 9217889f8a
commit 1182a99d04
2 changed files with 24 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
src/amf/context.c
View File

@@ -977,12 +977,14 @@ int amf_context_parse_config(void)
ogs_yaml_iter_value(&network_name_iter);
uint8_t size = strlen(c_network_name);
uint8_t i;
for (i = 0;i<size;i++) {
for (i = 0; i < size &&
(((i * 2) + 1) <
(OGS_NAS_MAX_NETWORK_NAME_LEN - 1));
i++) {
/* Workaround to convert the ASCII to USC-2 */
network_full_name->name[i*2] = 0;
network_full_name->name[(i*2)+1] =
network_full_name->name[i * 2] = 0;
network_full_name->name[i * 2 + 1] =
c_network_name[i];
}
network_full_name->length = size*2+1;
network_full_name->coding_scheme = 1;
@@ -994,12 +996,14 @@ int amf_context_parse_config(void)
ogs_yaml_iter_value(&network_name_iter);
uint8_t size = strlen(c_network_name);
uint8_t i;
for (i = 0;i<size;i++) {
for (i = 0; i < size &&
(((i * 2) + 1) <
(OGS_NAS_MAX_NETWORK_NAME_LEN - 1));
i++) {
/* Workaround to convert the ASCII to USC-2 */
network_short_name->name[i*2] = 0;
network_short_name->name[(i*2)+1] =
network_short_name->name[i * 2] = 0;
network_short_name->name[i * 2 + 1] =
c_network_name[i];
}
network_short_name->length = size*2+1;
network_short_name->coding_scheme = 1;

20
src/mme/mme-context.c
View File

@@ -2014,12 +2014,14 @@ int mme_context_parse_config(void)
ogs_yaml_iter_value(&network_name_iter);
uint8_t size = strlen(c_network_name);
uint8_t i;
for (i = 0;i<size;i++) {
for (i = 0; i < size &&
(((i * 2) + 1) <
(OGS_NAS_MAX_NETWORK_NAME_LEN - 1));
i++) {
/* Workaround to convert the ASCII to USC-2 */
network_full_name->name[i*2] = 0;
network_full_name->name[(i*2)+1] =
network_full_name->name[i * 2] = 0;
network_full_name->name[i * 2 + 1] =
c_network_name[i];
}
network_full_name->length = size*2+1;
network_full_name->coding_scheme = 1;
@@ -2031,12 +2033,14 @@ int mme_context_parse_config(void)
ogs_yaml_iter_value(&network_name_iter);
uint8_t size = strlen(c_network_name);
uint8_t i;
for (i = 0;i<size;i++) {
for (i = 0; i < size &&
(((i * 2) + 1) <
(OGS_NAS_MAX_NETWORK_NAME_LEN - 1));
i++) {
/* Workaround to convert the ASCII to USC-2 */
network_short_name->name[i*2] = 0;
network_short_name->name[(i*2)+1] =
network_short_name->name[i * 2] = 0;
network_short_name->name[i * 2 + 1] =
c_network_name[i];
}
network_short_name->length = size*2+1;
network_short_name->coding_scheme = 1;