fix(mme): Enforce stricter input validation for S1AP/NGAP/NAS payloads #15401
Conversation
pull-request-size
bot
added
the
size/L
|
Thanks for opening a PR! 💯
Howto
More infoPlease take a moment to read through the Magma project's
If this is your first Magma PR, also consider reading
|
|
✔️ The Semantic PR check ended with status success. See instructions on formatting your commit and pull request titles. |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
| @@ -564,6 +564,7 @@ int decode_emergency_number_list_ie( | |||
| buffer + decoded, EMERGENCY_NUMBER_MAX_DIGITS, len - decoded); | |||
|
|
|||
| e->lengthofemergencynumberinformation = *(buffer + decoded); | |||
| CHECK_LENGTH_DECODER(((int) len) - decoded, e->lengthofemergencynumberinformation); | |||
There was a problem hiding this comment.
[cpplint] reported by reviewdog 🐶
Using C-style cast. Use static_cast(...) instead [readability/casting] [4]
| @@ -577,7 +578,9 @@ | |||
| i < EMERGENCY_NUMBER_MAX_DIGITS; i++) { | |||
| e->number_digit[i] = 0xFF; | |||
| } | |||
| Fatal("TODO emergency_number_list_t->next"); | |||
|
|
|||
| // TODO implement emergency_number_list_t->next | |||
There was a problem hiding this comment.
[cpplint] reported by reviewdog 🐶
Missing username in TODO; it should look like "// TODO(my_username): Stuff." [readability/todo] [2]
| @@ -590,7 +593,9 @@ | |||
| uint32_t encoded = 0; | |||
| emergency_number_list_t* e = emergencynumberlist; | |||
|
|
|||
| Fatal("TODO Implement encode_emergency_number_list_ie"); | |||
| // TODO implement encode_emergency_number_list_ie | |||
There was a problem hiding this comment.
[cpplint] reported by reviewdog 🐶
Missing username in TODO; it should look like "// TODO(my_username): Stuff." [readability/todo] [2]
| @@ -73,7 +73,7 @@ int decode_access_point_name_ie(access_point_name_t* access_point_name, | |||
|
|
|||
| ielen = *(buffer + decoded); | |||
| decoded++; | |||
| CHECK_LENGTH_DECODER(len - decoded, ielen); | |||
| CHECK_LENGTH_DECODER(((int) len) - decoded, ielen); | |||
There was a problem hiding this comment.
[cpplint] reported by reviewdog 🐶
Using C-style cast. Use static_cast(...) instead [readability/casting] [4]
| @@ -236,6 +237,9 @@ | |||
| protocolconfigurationoptions->num_protocol_or_container_id = 0; | |||
|
|
|||
| while (3 <= ((int32_t)len - (int32_t)decoded)) { | |||
| if (protocolconfigurationoptions->num_protocol_or_container_id >= PCO_UNSPEC_MAXIMUM_PROTOCOL_ID_OR_CONTAINER_ID) { | |||
| return TLV_UNEXPECTED_IEI; // Maximum 30 options | |||
There was a problem hiding this comment.
[cpplint] reported by reviewdog 🐶
At least two spaces is best between code and comments [whitespace/comments] [2]
| @@ -803,7 +815,7 @@ | |||
| } | |||
| } | |||
|
|
|||
| if (len - decoded < 0) { | |||
| if (((int)len) - decoded < 0) { | |||
There was a problem hiding this comment.
[cpplint] reported by reviewdog 🐶
Using C-style cast. Use static_cast(...) instead [readability/casting] [4]
| @@ -46,7 +46,7 @@ int decode_esm_message_container(EsmMessageContainer* esmmessagecontainer, | |||
| } | |||
|
|
|||
| DECODE_LENGTH_U16(buffer + decoded, ielen, decoded); | |||
| CHECK_LENGTH_DECODER(len - decoded, ielen); | |||
| CHECK_LENGTH_DECODER(((int) len) - decoded, ielen); | |||
There was a problem hiding this comment.
[cpplint] reported by reviewdog 🐶
Using C-style cast. Use static_cast(...) instead [readability/casting] [4]
| if (iei > 0) { | ||
| CHECK_LENGTH_DECODER(((int) len) - decoded, 1); |
There was a problem hiding this comment.
[cpplint] reported by reviewdog 🐶
Using C-style cast. Use static_cast(...) instead [readability/casting] [4]
| CHECK_IEI_DECODER(iei, *buffer); | ||
| decoded++; | ||
| } | ||
|
|
||
| CHECK_LENGTH_DECODER(((int) len) - decoded, 2); |
There was a problem hiding this comment.
[cpplint] reported by reviewdog 🐶
Using C-style cast. Use static_cast(...) instead [readability/casting] [4]
| ielen = *(buffer + decoded); | ||
| decoded++; | ||
| CHECK_LENGTH_DECODER(len - decoded, ielen); | ||
| CHECK_LENGTH_DECODER(((int) len) - decoded, ielen); |
There was a problem hiding this comment.
[cpplint] reported by reviewdog 🐶
Using C-style cast. Use static_cast(...) instead [readability/casting] [4]
nathaniel-bennett
force-pushed
the
master
branch
3 times, most recently
from
60f5567
to
0831cdb
Compare
|
Oops! Looks like you failed the Howto
♻️ Updated: ✅ The check is passing the PR Check DCO after the last commit. |
|
@nathaniel-bennett : Please fix the DCO check : PR Check DCO / DCO Check (pull_request) . |
|
for me there is a build issue. See |
|
Hi @nathaniel-bennett after the recent commit I'm observing just the one TC failure, could you work it out with the help of the logs attached? //lte/gateway/c/core/oai/test/mme_app_task:mme_app_esm_encode_decode_test FAILED in 1.6s
=================================================================================
test.log
=================================================================================
exec ${PAGER:-/usr/bin/less} "$0" || exit 1
Executing tests from //lte/gateway/c/core/oai/test/mme_app_task:mme_app_esm_encode_decode_test
-----------------------------------------------------------------------------
Running main() from gmock_main.cc
[==========] Running 22 tests from 1 test suite.
[----------] Global test environment set-up.
[----------] 22 tests from ESMEncodeDecodeTest
[ RUN ] ESMEncodeDecodeTest.TestActivateDefaultEpsBearerContextRequest
lte/gateway/c/core/oai/test/mme_app_task/test_mme_app_esm_encode_decode.cpp:255: Failure
Expected: (decoded) >= (0), actual: -9 vs 0
lte/gateway/c/core/oai/test/mme_app_task/test_mme_app_esm_encode_decode.cpp:256: Failure
Expected equality of these values:
encoded
Which is: 121
decoded
Which is: -9
lte/gateway/c/core/oai/test/mme_app_task/test_mme_app_esm_encode_decode.cpp:258: Failure
Expected equality of these values:
original_msg->pdnaddress.pdntypevalue
Which is: '\x3' (3)
decoded_msg->pdnaddress.pdntypevalue
Which is: '\0'
lte/gateway/c/core/oai/test/mme_app_task/test_mme_app_esm_encode_decode.cpp:262: Failure
Expected equality of these values:
std::string((const char*)original_msg->accesspointname->data)
Which is: "magma.ipv4"
std::string((const char*)decoded_msg->accesspointname->data)
Which is: "magma."
|
nathaniel-bennett
force-pushed
the
master
branch
from
6fde504
to
d3a1086
Compare
|
Alright, I've figured it out--I refactored the equality symbol of an assertion the wrong way. The corrected code no longer returns -9 ( if (ielen < length_apn) {
// Mismatch in lengths remaining between IE length and APN length
return TLV_OCTET_STRING_TOO_LONG_FOR_IEI;
} |
nathaniel-bennett
force-pushed
the
master
branch
from
d3a1086
to
3ff68e7
Compare
|
Hi @nathaniel-bennett, all required CI jobs except the one my screenshot refers to seem to be passing, to fix this, please commit using the git commit --signoff -s -m "fix(mme): Enforce stricter input validation for S1AP/NGAP/NAS payloads"Please include the changes from my commit if you intend to push 'em in one go. |
Signed-off-by: Nathaniel <me@nathanielbennett.com>
nathaniel-bennett
force-pushed
the
master
branch
from
0e9c5ce
to
4e9c20f
Compare
|
The merge was blocked on a review from @pshelar, who is not responsive. I removed him from the reviewers list. |
|
@nathaniel-bennett @lucasgonze i still see some compilation issues on my side |
Summary
The following patch resolves several reachable assertions, overflows, null-dereference and type confusion vulnerabilities present in S1AP, NGAP and NAS protocol handlers. The fixes themselves are generally one-liners that add an additional trivial check to ensure an index isn't out of bounds, or a mandatory IE isn't missing, or a reachable assertion is turned into a soft error.
Test Plan
Tested via fuzzing to ensure robustness.
Security Considerations
The following fix mitigates several vulnerabilities accessible by either malicious base station or unauthenticated UE.