Bug #3806

OsmoBSC accepts BSSAP with wrong length field

Added by laforge about 1 month ago. Updated 3 days ago.

In Progress
A interface
Target version:
Start date:
Due date:
% Done:


Spec Reference:


As seen in #3805, OsmoBSC would happily accept BSSMAP CLEAR COMMAND messages with IEs that extend beyond the length field of the BSSAP header.

This is definitely wrong. We should

  • parse the length field
  • ensure we have a minimum of that number of bytes of payload as specified by the length field
  • truncate the msgb to a payload length as specified

This way any additional garbage at the end of a message would simply be ignored, with us only parsing the specified "length" number of bytes.

Let's also make sure to add TTCN-3 tests for this, intentionally sending length field values too large and too short.

Once implemented in OsmoBSC, we should also implement it on the MSC side.

Related issues

Related to OsmoMSC - Bug #3805: OsmoMSC sends invalid BSSMAP length field on CSFB CLEAR COMMANDResolved2019-02-18


#1 Updated by laforge about 1 month ago

  • Related to Bug #3805: OsmoMSC sends invalid BSSMAP length field on CSFB CLEAR COMMAND added

#2 Updated by dexter 3 days ago

  • Status changed from New to In Progress
  • % Done changed from 0 to 40

I have now integrated checking+truncating of the bssmap message length, there is no TTCN3 test yet. osmo_bsc_bssap: check bssamp length field a_iface_bssap: check bssamp length field

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)