mirror of
https://github.com/open5gs/open5gs.git
synced 2026-04-28 03:19:31 +00:00
mme: Avoid abort on malformed Address AVPs in S6a messages
The MME terminated with abort() when processing IDR or ULA messages containing a malformed Served-Party-IP-Address (AVP 848) or MIP-Home-Agent-Address (AVP 334). In mme_s6a_subscription_data_from_avp(), the return value of fd_msg_avp_value_interpret() was checked using ogs_assert(ret == 0). However, this function may legitimately return an error if the Address AVP contains an invalid encoding (e.g., invalid address family or length mismatch). Since freeDiameter treats Address AVPs as raw OctetString during decoding, malformed values can reach this code path. As a result, receiving such an AVP caused ogs_assert() → ogs_abort() → abort(), terminating the entire MME process. Fix this by replacing the assertion with proper error handling. If fd_msg_avp_value_interpret() fails, the malformed AVP is ignored with a warning log and processing continues. This prevents a malformed or malicious Diameter message from crashing the MME while preserving normal operation for valid data. Issues: #4334
This commit is contained in:
Sukchan Lee
parent
c42d7b7d9b
commit
42506202e8
1 changed files with 19 additions and 13 deletions
|
|
@ -424,8 +424,13 @@ static int mme_s6a_subscription_data_from_avp(struct avp *avp,
|
|||
ogs_assert(ret == 0);
|
||||
switch(hdr->avp_code) {
|
||||
case OGS_DIAM_S6A_AVP_CODE_SERVED_PARTY_IP_ADDRESS:
|
||||
memset(&addr, 0, sizeof(addr));
|
||||
ret = fd_msg_avp_value_interpret(avpch3, &addr.sa);
|
||||
ogs_assert(ret == 0);
|
||||
if (ret != 0) {
|
||||
ogs_warn("Ignore malformed "
|
||||
"Served-Party-IP-Address AVP");
|
||||
break;
|
||||
}
|
||||
|
||||
if (addr.ogs_sa_family == AF_INET) {
|
||||
session->ue_ip.addr = addr.sin.sin_addr.s_addr;
|
||||
|
|
@ -451,7 +456,8 @@ static int mme_s6a_subscription_data_from_avp(struct avp *avp,
|
|||
"IPv6. Ignoring...", session->session_type);
|
||||
}
|
||||
} else {
|
||||
ogs_error("Invalid family[%d]",
|
||||
ogs_warn("Invalid family[%d] in "
|
||||
"Served-Party-IP-Address",
|
||||
addr.ogs_sa_family);
|
||||
}
|
||||
break;
|
||||
|
|
@ -613,27 +619,27 @@ static int mme_s6a_subscription_data_from_avp(struct avp *avp,
|
|||
ogs_assert(ret == 0);
|
||||
switch(hdr->avp_code) {
|
||||
case OGS_DIAM_S6A_AVP_CODE_MIP_HOME_AGENT_ADDRESS:
|
||||
memset(&addr, 0, sizeof(addr));
|
||||
ret = fd_msg_avp_value_interpret(avpch4,
|
||||
&addr.sa);
|
||||
ogs_assert(ret == 0);
|
||||
if (addr.ogs_sa_family == AF_INET)
|
||||
{
|
||||
if (ret != 0) {
|
||||
ogs_warn("Ignore malformed "
|
||||
"MIP-Home-Agent-Address AVP");
|
||||
break;
|
||||
}
|
||||
if (addr.ogs_sa_family == AF_INET) {
|
||||
session->smf_ip.ipv4 = 1;
|
||||
session->smf_ip.addr =
|
||||
addr.sin.sin_addr.s_addr;
|
||||
}
|
||||
else if (addr.ogs_sa_family == AF_INET6)
|
||||
{
|
||||
} else if (addr.ogs_sa_family == AF_INET6) {
|
||||
session->smf_ip.ipv6 = 1;
|
||||
memcpy(session->smf_ip.addr6,
|
||||
addr.sin6.sin6_addr.s6_addr,
|
||||
OGS_IPV6_LEN);
|
||||
}
|
||||
else
|
||||
{
|
||||
ogs_error("Invald family:%d",
|
||||
} else {
|
||||
ogs_warn("Invald family[%d] "
|
||||
"in MIP-Home-Agent-Address",
|
||||
addr.ogs_sa_family);
|
||||
error++;
|
||||
}
|
||||
break;
|
||||
case OGS_DIAM_S6A_AVP_CODE_MIP_HOME_AGENT_HOST:
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue