Project

General

Profile

Bug #4049

gsm48_decode_bcd_number2() can truncate the decoded number without -ENOSPC

Added by osmith 11 days ago. Updated 10 days ago.

Status:
In Progress
Priority:
Normal
Assignee:
Category:
-
Target version:
-
Start date:
06/06/2019
Due date:
% Done:

90%

Spec Reference:

Description

I've come across this while writing a test for the Check IMEI GSUP message. The IMEI gets bcd encoded, and OsmoHLR is supposed to verify the length before accepting the IMEI.

If the encoded input is longer than the output buffer by one or two bytes, gsm48_decode_bcd_number2() cuts off the overflowing bytes with \0 without returning -ENOSPC.

Here's a reproducer. I'm creating a patch for a proper fix and regression test.

#include <stdio.h>
#include <osmocom/gsm/gsm48_ie.h>
#include <osmocom/gsm/protocol/gsm_23_003.h>

int main()
{
    uint8_t bcd_lv[100];
    const char *input = "111456789012345";
    char output[GSM23003_IMEI_NUM_DIGITS_NO_CHK+1] = {0};
    int len;
    int ret;

    printf("input:   %s\n", input);

    // encode
    len = gsm48_encode_bcd_number(bcd_lv, sizeof(bcd_lv), 0, input);

    // decode
    ret = gsm48_decode_bcd_number2(output, sizeof(output), bcd_lv, len, 0);
    printf("ret: %i\n", ret);
    printf("output:  %s\n", output);

    printf("encoded: %s\n", osmo_hexdump(bcd_lv, len));
    printf("encoded_len: %i\n", len);
    return 0;
}

./test
input:   111456789012345
ret: 0
output:  11145678901234
encoded: 08 11 41 65 87 09 21 43 f5 
encoded_len: 9

History

#1 Updated by osmith 11 days ago

  • Status changed from New to In Progress
  • % Done changed from 0 to 50

#2 Updated by osmith 10 days ago

  • % Done changed from 50 to 90

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)