From 4da67bb5871b7c1e4ffbde1c100e3ca06a29d8e6 Mon Sep 17 00:00:00 2001 From: Neels Janosch Hofmeyr Date: Thu, 16 Jan 2025 19:07:16 +0100 Subject: [PATCH] hnbgw_rx_hnb_register_req(): guard against asn.1 parsing errors I considered putting these checks into hnbap_decode_hnbregisterrequesties() itself, but that code is generated by asn1tostruct.py, so it is non-trivial. So I decided to add this code bit, to guard against potential NULL deref induced by input from the wire, which coverity complains about. Related: CID#465551 Change-Id: I555f11cadc23ea231821bd48f7cd62953b022e9e --- src/osmo-hnbgw/hnbgw_hnbap.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/src/osmo-hnbgw/hnbgw_hnbap.c b/src/osmo-hnbgw/hnbgw_hnbap.c index b291513..4959ddf 100644 --- a/src/osmo-hnbgw/hnbgw_hnbap.c +++ b/src/osmo-hnbgw/hnbgw_hnbap.c @@ -467,6 +467,16 @@ static int hnbgw_rx_hnb_deregister(struct hnb_context *ctx, ANY_t *in) return 0; } +static bool is_asn1_octet_string_empty(const OCTET_STRING_t *val) +{ + return !val || !val->buf || !val->size; +} + +static bool is_asn1_bit_string_empty(const BIT_STRING_t *val) +{ + return !val || !val->buf || !val->size; +} + static int hnbgw_rx_hnb_register_req(struct hnb_context *ctx, ANY_t *in) { struct hnb_persistent *hnbp; @@ -482,7 +492,13 @@ static int hnbgw_rx_hnb_register_req(struct hnb_context *ctx, ANY_t *in) socklen_t len = sizeof(cur_osa); rc = hnbap_decode_hnbregisterrequesties(&ies, in); - if (rc < 0) { + if (rc < 0 + /* CID#465551: make sure that actual values ended up in the asn1 octet strings: */ + || is_asn1_octet_string_empty(&ies.lac) + || is_asn1_octet_string_empty(&ies.sac) + || is_asn1_octet_string_empty(&ies.rac) + || is_asn1_bit_string_empty(&ies.cellIdentity) + || is_asn1_octet_string_empty(&ies.plmNidentity)) { LOGHNB(ctx, DHNBAP, LOGL_ERROR, "Failure to decode HNB-REGISTER-REQ: rc=%d\n", rc); cause.present = HNBAP_Cause_PR_protocol; cause.choice.radioNetwork = HNBAP_CauseProtocol_unspecified;