ipa: Handle corrupt incoming messages without crashing

Attempt to read the three byte IPA header. If we read 0 then the socket can be closed otherwise we need to read three bytes, if we don't we do have a failure. After having parsed the header we need to evaluate the length, if the length is bigger than would fit into our buffer we will ignore that and print an error. This is fixing a crash when the BTS is crashing...
2025-10-23 08:12:01 +00:00 · 2010-03-24 08:40:55 +01:00
parent f5284ae1cf
commit b3121c5b3f
1 changed files with 14 additions and 6 deletions
--- a/openbsc/src/input/ipaccess.c
+++ b/openbsc/src/input/ipaccess.c
@@ -289,14 +289,14 @@ struct msgb *ipaccess_read_msg(struct bsc_fd *bfd, int *error)

 	/* first read our 3-byte header */
 	hh = (struct ipaccess_head *) msg->data;
-	ret = recv(bfd->fd, msg->data, 3, 0);
-	if (ret < 0) {
-		if (errno != EAGAIN)
-			LOGP(DINP, LOGL_ERROR, "recv error %d %s\n", ret, strerror(errno));
+	ret = recv(bfd->fd, msg->data, sizeof(*hh), 0);
+	if (ret == 0) {
 		msgb_free(msg);
 		*error = ret;
 		return NULL;
-	} else if (ret == 0) {
+	} else if (ret != sizeof(*hh)) {
+		if (errno != EAGAIN)
+			LOGP(DINP, LOGL_ERROR, "recv error %d %s\n", ret, strerror(errno));
 		msgb_free(msg);
 		*error = ret;
 		return NULL;
@@ -307,9 +307,17 @@ struct msgb *ipaccess_read_msg(struct bsc_fd *bfd, int *error)
 	/* then read te length as specified in header */
 	msg->l2h = msg->data + sizeof(*hh);
 	len = ntohs(hh->len);
+
+	if (len < 0 || TS1_ALLOC_SIZE < len + sizeof(*hh)) {
+		LOGP(DINP, LOGL_ERROR, "Can not read this packet. %d avail\n", len);
+		msgb_free(msg);
+		*error = -EIO;
+		return NULL;
+	}
+
 	ret = recv(bfd->fd, msg->l2h, len, 0);
 	if (ret < len) {
-		LOGP(DINP, LOGL_ERROR, "short read!\n");
+		LOGP(DINP, LOGL_ERROR, "short read! Got %d from %d\n", ret, len);
 		msgb_free(msg);
 		*error = -EIO;
 		return NULL;