Project

General

Profile

Bug #3806

OsmoBSC accepts BSSAP with wrong length field

Added by laforge 28 days ago.

Status:
New
Priority:
Normal
Assignee:
Category:
A interface
Target version:
-
Start date:
02/18/2019
Due date:
% Done:

0%

Spec Reference:

Description

As seen in #3805, OsmoBSC would happily accept BSSMAP CLEAR COMMAND messages with IEs that extend beyond the length field of the BSSAP header.

This is definitely wrong. We should

  • parse the length field
  • ensure we have a minimum of that number of bytes of payload as specified by the length field
  • truncate the msgb to a payload length as specified

This way any additional garbage at the end of a message would simply be ignored, with us only parsing the specified "length" number of bytes.

Let's also make sure to add TTCN-3 tests for this, intentionally sending length field values too large and too short.

Once implemented in OsmoBSC, we should also implement it on the MSC side.


Related issues

Related to OsmoMSC - Bug #3805: OsmoMSC sends invalid BSSMAP length field on CSFB CLEAR COMMANDResolved2019-02-18

History

#1 Updated by laforge 28 days ago

  • Related to Bug #3805: OsmoMSC sends invalid BSSMAP length field on CSFB CLEAR COMMAND added

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)