Bug #3806
OsmoBSC accepts BSSAP with wrong length field
40%
Description
As seen in #3805, OsmoBSC would happily accept BSSMAP CLEAR COMMAND messages with IEs that extend beyond the length field of the BSSAP header.
This is definitely wrong. We should
- parse the length field
- ensure we have a minimum of that number of bytes of payload as specified by the length field
- truncate the msgb to a payload length as specified
This way any additional garbage at the end of a message would simply be ignored, with us only parsing the specified "length" number of bytes.
Let's also make sure to add TTCN-3 tests for this, intentionally sending length field values too large and too short.
Once implemented in OsmoBSC, we should also implement it on the MSC side.
Related issues
History
#1 Updated by laforge about 1 month ago
- Related to Bug #3805: OsmoMSC sends invalid BSSMAP length field on CSFB CLEAR COMMAND added
#2 Updated by dexter 3 days ago
- Status changed from New to In Progress
- % Done changed from 0 to 40
I have now integrated checking+truncating of the bssmap message length, there is no TTCN3 test yet.
https://gerrit.osmocom.org/#/c/osmo-bsc/+/13306 osmo_bsc_bssap: check bssamp length field
https://gerrit.osmocom.org/#/c/osmo-msc/+/13307 a_iface_bssap: check bssamp length field
