paulmataruso/open5gs
1
0
Fork 0
mirror of https://github.com/open5gs/open5gs.git synced 2025-11-02 04:53:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

[CORE] Add defense code to ogs_pkbuf_copy (#2032)

Browse Source 
Added a defense code to prevent NF crash when ogs_pkbuf_copy() size is 0.
This commit is contained in:
Sukchan Lee
2023-01-29 16:45:42 +09:00
parent fde0fd0248
commit 628b4f0ec7
2 changed files with 45 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
lib/core/ogs-pkbuf.c
View File

@@ -317,11 +317,21 @@ ogs_pkbuf_t *ogs_pkbuf_copy_debug(ogs_pkbuf_t *pkbuf, const char *file_line)
{
#if OGS_USE_TALLOC
ogs_pkbuf_t *newbuf;
#else
ogs_pkbuf_pool_t *pool = NULL;
ogs_pkbuf_t *newbuf = NULL;
#endif
int size = 0;
ogs_assert(pkbuf);
size = pkbuf->end - pkbuf->head;
ogs_assert(size > 0);
if (size <= 0) {
ogs_error("Invalid argument[size=%d, head=%p, end=%p] in (%s)",
size, pkbuf->head, pkbuf->end, file_line);
return NULL;
}
#if OGS_USE_TALLOC
newbuf = ogs_pkbuf_alloc_debug(NULL, size, file_line);
if (!newbuf) {
ogs_error("ogs_pkbuf_alloc() failed [size=%d]", size);
@@ -339,10 +349,6 @@ ogs_pkbuf_t *ogs_pkbuf_copy_debug(ogs_pkbuf_t *pkbuf, const char *file_line)
return newbuf;
#else
ogs_pkbuf_pool_t *pool = NULL;
ogs_pkbuf_t *newbuf = NULL;
ogs_assert(pkbuf);
pool = pkbuf->pool;
ogs_assert(pool);
@@ -350,7 +356,7 @@ ogs_pkbuf_t *ogs_pkbuf_copy_debug(ogs_pkbuf_t *pkbuf, const char *file_line)
ogs_pool_alloc(&pool->pkbuf, &newbuf);
if (!newbuf) {
ogs_error("ogs_pkbuf_copy() failed");
ogs_error("ogs_pkbuf_copy() failed [size=%d]", size);
ogs_thread_mutex_unlock(&pool->mutex);
return NULL;
}

37
lib/sbi/message.c
View File

@@ -2158,8 +2158,21 @@ static int parse_multipart(
data.part[i].content_type;
http->part[http->num_of_part].pkbuf =
ogs_pkbuf_alloc(NULL, data.part[i].content_length);
ogs_expect_or_return_val(
http->part[http->num_of_part].pkbuf, OGS_ERROR);
if (!(http->part[http->num_of_part].pkbuf)) {
ogs_error("ogs_pkbuf_copy() failed");
if (data.part[i].content_id)
ogs_free(data.part[i].content_id);
if (data.part[i].content_type)
ogs_free(data.part[i].content_type);
if (data.part[i].content)
ogs_free(data.part[i].content);
if (data.header_field)
ogs_free(data.header_field);
return OGS_ERROR;
}
ogs_pkbuf_put_data(http->part[http->num_of_part].pkbuf,
data.part[i].content, data.part[i].content_length);
@@ -2169,8 +2182,24 @@ static int parse_multipart(
http->part[http->num_of_part].content_type;
message->part[message->num_of_part].pkbuf =
ogs_pkbuf_copy(http->part[http->num_of_part].pkbuf);
ogs_expect_or_return_val(
message->part[message->num_of_part].pkbuf, OGS_ERROR);
if (!(message->part[http->num_of_part].pkbuf)) {
ogs_error("ogs_pkbuf_copy() failed");
if (data.part[i].content_id)
ogs_free(data.part[i].content_id);
if (data.part[i].content_type)
ogs_free(data.part[i].content_type);
if (data.part[i].content)
ogs_free(data.part[i].content);
if (data.header_field)
ogs_free(data.header_field);
if (http->part[http->num_of_part].pkbuf)
ogs_pkbuf_free(http->part[http->num_of_part].pkbuf);
return OGS_ERROR;
}
http->num_of_part++;
message->num_of_part++;