From 4188b5146eb524c894db2c14d21f45b939510ee2 Mon Sep 17 00:00:00 2001 From: Francisco Date: Tue, 9 Feb 2021 18:02:53 +0000 Subject: [PATCH] fix uninitialized memory access in gtpu_test and liblte_mme unpacking --- lib/include/srslte/common/buffer_pool.h | 5 +++ lib/include/srslte/common/byte_buffer.h | 8 ++++- lib/src/asn1/liblte_mme.cc | 41 ++++++++++++++++++++----- lib/src/upper/gtpu.cc | 1 + srsenb/src/stack/upper/gtpu.cc | 10 +++--- srsenb/test/upper/gtpu_test.cc | 40 +++++++++++------------- 6 files changed, 70 insertions(+), 35 deletions(-) diff --git a/lib/include/srslte/common/buffer_pool.h b/lib/include/srslte/common/buffer_pool.h index 232a89f37..4cb1daa98 100644 --- a/lib/include/srslte/common/buffer_pool.h +++ b/lib/include/srslte/common/buffer_pool.h @@ -223,6 +223,11 @@ inline unique_byte_buffer_t make_byte_buffer() noexcept return std::unique_ptr(new (std::nothrow) byte_buffer_t()); } +inline unique_byte_buffer_t make_byte_buffer(uint32_t size, uint8_t value) noexcept +{ + return std::unique_ptr(new (std::nothrow) byte_buffer_t(size, value)); +} + inline unique_byte_buffer_t make_byte_buffer(const char* debug_ctxt) noexcept { std::unique_ptr buffer(new (std::nothrow) byte_buffer_t()); diff --git a/lib/include/srslte/common/byte_buffer.h b/lib/include/srslte/common/byte_buffer.h index b07af7877..3719c4747 100644 --- a/lib/include/srslte/common/byte_buffer.h +++ b/lib/include/srslte/common/byte_buffer.h @@ -99,6 +99,13 @@ public: bzero(debug_name, SRSLTE_BUFFER_POOL_LOG_NAME_LEN); #endif } + explicit byte_buffer_t(uint32_t size) : msg(&buffer[SRSLTE_BUFFER_HEADER_OFFSET]), N_bytes(size) + { +#ifdef SRSLTE_BUFFER_POOL_LOG_ENABLED + bzero(debug_name, SRSLTE_BUFFER_POOL_LOG_NAME_LEN); +#endif + } + byte_buffer_t(uint32_t size, uint8_t val) : byte_buffer_t(size) { std::fill(msg, msg + N_bytes, val); } byte_buffer_t(const byte_buffer_t& buf) : msg(&buffer[SRSLTE_BUFFER_HEADER_OFFSET]), md(buf.md), N_bytes(buf.N_bytes) { // copy actual contents @@ -150,7 +157,6 @@ public: void* operator new(size_t sz); void* operator new(size_t sz, const std::nothrow_t& nothrow_value) noexcept; - void* operator new(size_t sz, void* ptr) noexcept { return ptr; } void* operator new[](size_t sz) = delete; void operator delete(void* ptr); void operator delete[](void* ptr) = delete; diff --git a/lib/src/asn1/liblte_mme.cc b/lib/src/asn1/liblte_mme.cc index 9d4ab4c8a..b5658a3f5 100644 --- a/lib/src/asn1/liblte_mme.cc +++ b/lib/src/asn1/liblte_mme.cc @@ -298,7 +298,6 @@ LIBLTE_ERROR_ENUM liblte_mme_pack_mobile_id_ie(LIBLTE_MME_MOBILE_ID_STRUCT* mobi err = LIBLTE_SUCCESS; } else { - **ie_ptr = (0xFF << 4) | (0 << 3) | mobile_id->type_of_id; *ie_ptr += 1; // 4-Byte based ids @@ -4364,7 +4363,6 @@ LIBLTE_ERROR_ENUM liblte_mme_unpack_transaction_identifier_ie(uint8** LIBLTE_ERROR_ENUM liblte_mme_parse_msg_sec_header(LIBLTE_BYTE_MSG_STRUCT* msg, uint8* pd, uint8* sec_hdr_type) { - LIBLTE_ERROR_ENUM err = LIBLTE_ERROR_INVALID_INPUTS; if (msg != NULL && pd != NULL && sec_hdr_type != NULL) { @@ -4599,6 +4597,7 @@ LIBLTE_ERROR_ENUM liblte_mme_pack_attach_accept_msg(LIBLTE_MME_ATTACH_ACCEPT_MSG LIBLTE_ERROR_ENUM liblte_mme_unpack_attach_accept_msg(LIBLTE_BYTE_MSG_STRUCT* msg, LIBLTE_MME_ATTACH_ACCEPT_MSG_STRUCT* attach_accept) { + bzero(msg, sizeof(LIBLTE_BYTE_MSG_STRUCT)); LIBLTE_ERROR_ENUM err = LIBLTE_ERROR_INVALID_INPUTS; uint8* msg_ptr = msg->msg; uint8 sec_hdr_type; @@ -4785,6 +4784,7 @@ LIBLTE_ERROR_ENUM liblte_mme_pack_attach_complete_msg(LIBLTE_MME_ATTACH_COMPLETE LIBLTE_ERROR_ENUM liblte_mme_unpack_attach_complete_msg(LIBLTE_BYTE_MSG_STRUCT* msg, LIBLTE_MME_ATTACH_COMPLETE_MSG_STRUCT* attach_comp) { + bzero(msg, sizeof(LIBLTE_BYTE_MSG_STRUCT)); LIBLTE_ERROR_ENUM err = LIBLTE_ERROR_INVALID_INPUTS; uint8* msg_ptr = msg->msg; uint8 sec_hdr_type; @@ -4861,6 +4861,7 @@ LIBLTE_ERROR_ENUM liblte_mme_pack_attach_reject_msg(LIBLTE_MME_ATTACH_REJECT_MSG LIBLTE_ERROR_ENUM liblte_mme_unpack_attach_reject_msg(LIBLTE_BYTE_MSG_STRUCT* msg, LIBLTE_MME_ATTACH_REJECT_MSG_STRUCT* attach_rej) { + bzero(msg, sizeof(LIBLTE_BYTE_MSG_STRUCT)); LIBLTE_ERROR_ENUM err = LIBLTE_ERROR_INVALID_INPUTS; uint8* msg_ptr = msg->msg; uint8 sec_hdr_type; @@ -5110,6 +5111,7 @@ LIBLTE_ERROR_ENUM liblte_mme_pack_attach_request_msg(LIBLTE_MME_ATTACH_REQUEST_M LIBLTE_ERROR_ENUM liblte_mme_unpack_attach_request_msg(LIBLTE_BYTE_MSG_STRUCT* msg, LIBLTE_MME_ATTACH_REQUEST_MSG_STRUCT* attach_req) { + bzero(msg, sizeof(LIBLTE_BYTE_MSG_STRUCT)); LIBLTE_ERROR_ENUM err = LIBLTE_ERROR_INVALID_INPUTS; uint8* msg_ptr = msg->msg; uint8 sec_hdr_type; @@ -5317,6 +5319,7 @@ LIBLTE_ERROR_ENUM liblte_mme_pack_authentication_failure_msg(LIBLTE_MME_AUTHENTI LIBLTE_ERROR_ENUM liblte_mme_unpack_authentication_failure_msg(LIBLTE_BYTE_MSG_STRUCT* msg, LIBLTE_MME_AUTHENTICATION_FAILURE_MSG_STRUCT* auth_fail) { + bzero(msg, sizeof(LIBLTE_BYTE_MSG_STRUCT)); LIBLTE_ERROR_ENUM err = LIBLTE_ERROR_INVALID_INPUTS; uint8* msg_ptr = msg->msg; uint8 sec_hdr_type; @@ -5386,6 +5389,7 @@ LIBLTE_ERROR_ENUM liblte_mme_pack_authentication_reject_msg(LIBLTE_MME_AUTHENTIC LIBLTE_ERROR_ENUM liblte_mme_unpack_authentication_reject_msg(LIBLTE_BYTE_MSG_STRUCT* msg, LIBLTE_MME_AUTHENTICATION_REJECT_MSG_STRUCT* auth_reject) { + bzero(msg, sizeof(LIBLTE_BYTE_MSG_STRUCT)); LIBLTE_ERROR_ENUM err = LIBLTE_ERROR_INVALID_INPUTS; uint8* msg_ptr = msg->msg; uint8 sec_hdr_type; @@ -5453,6 +5457,7 @@ LIBLTE_ERROR_ENUM liblte_mme_pack_authentication_request_msg(LIBLTE_MME_AUTHENTI LIBLTE_ERROR_ENUM liblte_mme_unpack_authentication_request_msg(LIBLTE_BYTE_MSG_STRUCT* msg, LIBLTE_MME_AUTHENTICATION_REQUEST_MSG_STRUCT* auth_req) { + bzero(msg, sizeof(LIBLTE_BYTE_MSG_STRUCT)); LIBLTE_ERROR_ENUM err = LIBLTE_ERROR_INVALID_INPUTS; uint8* msg_ptr = msg->msg; uint8 sec_hdr_type; @@ -5502,7 +5507,6 @@ LIBLTE_ERROR_ENUM liblte_mme_pack_authentication_response_msg(LIBLTE_MME_AUTHENT uint8* msg_ptr = msg->msg; if (auth_resp != NULL && msg != NULL) { - if (LIBLTE_MME_SECURITY_HDR_TYPE_PLAIN_NAS != sec_hdr_type) { // Protocol Discriminator and Security Header Type *msg_ptr = (sec_hdr_type << 4) | (LIBLTE_MME_PD_EPS_MOBILITY_MANAGEMENT); @@ -5539,6 +5543,7 @@ LIBLTE_ERROR_ENUM liblte_mme_unpack_authentication_response_msg(LIBLTE_BYTE_MSG_STRUCT* msg, LIBLTE_MME_AUTHENTICATION_RESPONSE_MSG_STRUCT* auth_resp) { + bzero(msg, sizeof(LIBLTE_BYTE_MSG_STRUCT)); LIBLTE_ERROR_ENUM err = LIBLTE_ERROR_INVALID_INPUTS; uint8* msg_ptr = msg->msg; uint8 sec_hdr_type; @@ -5625,6 +5630,7 @@ LIBLTE_ERROR_ENUM liblte_mme_pack_detach_accept_msg(LIBLTE_MME_DETACH_ACCEPT_MSG LIBLTE_ERROR_ENUM liblte_mme_unpack_detach_accept_msg(LIBLTE_BYTE_MSG_STRUCT* msg, LIBLTE_MME_DETACH_ACCEPT_MSG_STRUCT* detach_accept) { + bzero(msg, sizeof(LIBLTE_BYTE_MSG_STRUCT)); LIBLTE_ERROR_ENUM err = LIBLTE_ERROR_INVALID_INPUTS; uint8* msg_ptr = msg->msg; uint8 sec_hdr_type; @@ -5705,6 +5711,7 @@ LIBLTE_ERROR_ENUM liblte_mme_pack_detach_request_msg(LIBLTE_MME_DETACH_REQUEST_M LIBLTE_ERROR_ENUM liblte_mme_unpack_detach_request_msg(LIBLTE_BYTE_MSG_STRUCT* msg, LIBLTE_MME_DETACH_REQUEST_MSG_STRUCT* detach_req) { + bzero(msg, sizeof(LIBLTE_BYTE_MSG_STRUCT)); LIBLTE_ERROR_ENUM err = LIBLTE_ERROR_INVALID_INPUTS; uint8* msg_ptr = msg->msg; uint8 sec_hdr_type; @@ -5789,6 +5796,7 @@ LIBLTE_ERROR_ENUM liblte_mme_unpack_downlink_nas_transport_msg(LIBLTE_BYTE_MSG_STRUCT* msg, LIBLTE_MME_DOWNLINK_NAS_TRANSPORT_MSG_STRUCT* dl_nas_transport) { + bzero(msg, sizeof(LIBLTE_BYTE_MSG_STRUCT)); LIBLTE_ERROR_ENUM err = LIBLTE_ERROR_INVALID_INPUTS; uint8* msg_ptr = msg->msg; uint8 sec_hdr_type; @@ -5898,6 +5906,7 @@ LIBLTE_ERROR_ENUM liblte_mme_pack_emm_information_msg(LIBLTE_MME_EMM_INFORMATION LIBLTE_ERROR_ENUM liblte_mme_unpack_emm_information_msg(LIBLTE_BYTE_MSG_STRUCT* msg, LIBLTE_MME_EMM_INFORMATION_MSG_STRUCT* emm_info) { + bzero(msg, sizeof(LIBLTE_BYTE_MSG_STRUCT)); LIBLTE_ERROR_ENUM err = LIBLTE_ERROR_INVALID_INPUTS; uint8* msg_ptr = msg->msg; uint8 sec_hdr_type; @@ -6017,6 +6026,7 @@ LIBLTE_ERROR_ENUM liblte_mme_pack_emm_status_msg(LIBLTE_MME_EMM_STATUS_MSG_STRUC LIBLTE_ERROR_ENUM liblte_mme_unpack_emm_status_msg(LIBLTE_BYTE_MSG_STRUCT* msg, LIBLTE_MME_EMM_STATUS_MSG_STRUCT* emm_status) { + bzero(msg, sizeof(LIBLTE_BYTE_MSG_STRUCT)); LIBLTE_ERROR_ENUM err = LIBLTE_ERROR_INVALID_INPUTS; uint8* msg_ptr = msg->msg; uint8 sec_hdr_type; @@ -6129,6 +6139,7 @@ LIBLTE_ERROR_ENUM liblte_mme_unpack_extended_service_request_msg(LIBLTE_BYTE_MSG_STRUCT* msg, LIBLTE_MME_EXTENDED_SERVICE_REQUEST_MSG_STRUCT* ext_service_req) { + bzero(msg, sizeof(LIBLTE_BYTE_MSG_STRUCT)); LIBLTE_ERROR_ENUM err = LIBLTE_ERROR_INVALID_INPUTS; uint8* msg_ptr = msg->msg; uint8 sec_hdr_type; @@ -6247,6 +6258,7 @@ LIBLTE_ERROR_ENUM liblte_mme_unpack_guti_reallocation_command_msg(LIBLTE_BYTE_MSG_STRUCT* msg, LIBLTE_MME_GUTI_REALLOCATION_COMMAND_MSG_STRUCT* guti_realloc_cmd) { + bzero(msg, sizeof(LIBLTE_BYTE_MSG_STRUCT)); LIBLTE_ERROR_ENUM err = LIBLTE_ERROR_INVALID_INPUTS; uint8* msg_ptr = msg->msg; uint8 sec_hdr_type; @@ -6393,6 +6405,7 @@ LIBLTE_ERROR_ENUM liblte_mme_pack_identity_request_msg(LIBLTE_MME_ID_REQUEST_MSG LIBLTE_ERROR_ENUM liblte_mme_unpack_identity_request_msg(LIBLTE_BYTE_MSG_STRUCT* msg, LIBLTE_MME_ID_REQUEST_MSG_STRUCT* id_req) { + bzero(msg, sizeof(LIBLTE_BYTE_MSG_STRUCT)); LIBLTE_ERROR_ENUM err = LIBLTE_ERROR_INVALID_INPUTS; uint8* msg_ptr = msg->msg; uint8 sec_hdr_type; @@ -6472,6 +6485,7 @@ LIBLTE_ERROR_ENUM liblte_mme_pack_identity_response_msg(LIBLTE_MME_ID_RESPONSE_M LIBLTE_ERROR_ENUM liblte_mme_unpack_identity_response_msg(LIBLTE_BYTE_MSG_STRUCT* msg, LIBLTE_MME_ID_RESPONSE_MSG_STRUCT* id_resp) { + bzero(msg, sizeof(LIBLTE_BYTE_MSG_STRUCT)); LIBLTE_ERROR_ENUM err = LIBLTE_ERROR_INVALID_INPUTS; uint8* msg_ptr = msg->msg; uint8 sec_hdr_type; @@ -6578,6 +6592,7 @@ LIBLTE_ERROR_ENUM liblte_mme_pack_security_mode_command_msg(LIBLTE_MME_SECURITY_ LIBLTE_ERROR_ENUM liblte_mme_unpack_security_mode_command_msg(LIBLTE_BYTE_MSG_STRUCT* msg, LIBLTE_MME_SECURITY_MODE_COMMAND_MSG_STRUCT* sec_mode_cmd) { + bzero(msg, sizeof(LIBLTE_BYTE_MSG_STRUCT)); LIBLTE_ERROR_ENUM err = LIBLTE_ERROR_INVALID_INPUTS; uint8* msg_ptr = msg->msg; uint8 sec_hdr_type; @@ -6695,6 +6710,7 @@ LIBLTE_ERROR_ENUM liblte_mme_unpack_security_mode_complete_msg(LIBLTE_BYTE_MSG_STRUCT* msg, LIBLTE_MME_SECURITY_MODE_COMPLETE_MSG_STRUCT* sec_mode_comp) { + bzero(msg, sizeof(LIBLTE_BYTE_MSG_STRUCT)); LIBLTE_ERROR_ENUM err = LIBLTE_ERROR_INVALID_INPUTS; uint8* msg_ptr = msg->msg; uint8 sec_hdr_type; @@ -6764,6 +6780,7 @@ LIBLTE_ERROR_ENUM liblte_mme_pack_security_mode_reject_msg(LIBLTE_MME_SECURITY_M LIBLTE_ERROR_ENUM liblte_mme_unpack_security_mode_reject_msg(LIBLTE_BYTE_MSG_STRUCT* msg, LIBLTE_MME_SECURITY_MODE_REJECT_MSG_STRUCT* sec_mode_rej) { + bzero(msg, sizeof(LIBLTE_BYTE_MSG_STRUCT)); LIBLTE_ERROR_ENUM err = LIBLTE_ERROR_INVALID_INPUTS; uint8* msg_ptr = msg->msg; uint8 sec_hdr_type; @@ -6855,6 +6872,7 @@ LIBLTE_ERROR_ENUM liblte_mme_pack_service_reject_msg(LIBLTE_MME_SERVICE_REJECT_M LIBLTE_ERROR_ENUM liblte_mme_unpack_service_reject_msg(LIBLTE_BYTE_MSG_STRUCT* msg, LIBLTE_MME_SERVICE_REJECT_MSG_STRUCT* service_rej) { + bzero(msg, sizeof(LIBLTE_BYTE_MSG_STRUCT)); LIBLTE_ERROR_ENUM err = LIBLTE_ERROR_INVALID_INPUTS; uint8* msg_ptr = msg->msg; uint8 sec_hdr_type; @@ -6935,6 +6953,7 @@ LIBLTE_ERROR_ENUM liblte_mme_pack_service_request_msg(LIBLTE_MME_SERVICE_REQUEST LIBLTE_ERROR_ENUM liblte_mme_unpack_service_request_msg(LIBLTE_BYTE_MSG_STRUCT* msg, LIBLTE_MME_SERVICE_REQUEST_MSG_STRUCT* service_req) { + bzero(msg, sizeof(LIBLTE_BYTE_MSG_STRUCT)); LIBLTE_ERROR_ENUM err = LIBLTE_ERROR_INVALID_INPUTS; uint8* msg_ptr = msg->msg; @@ -7109,6 +7128,7 @@ LIBLTE_ERROR_ENUM liblte_mme_unpack_tracking_area_update_accept_msg(LIBLTE_BYTE_MSG_STRUCT* msg, LIBLTE_MME_TRACKING_AREA_UPDATE_ACCEPT_MSG_STRUCT* ta_update_accept) { + bzero(msg, sizeof(LIBLTE_BYTE_MSG_STRUCT)); LIBLTE_ERROR_ENUM err = LIBLTE_ERROR_INVALID_INPUTS; uint8* msg_ptr = msg->msg; uint8 sec_hdr_type; @@ -7396,6 +7416,7 @@ LIBLTE_ERROR_ENUM liblte_mme_unpack_tracking_area_update_reject_msg(LIBLTE_BYTE_MSG_STRUCT* msg, LIBLTE_MME_TRACKING_AREA_UPDATE_REJECT_MSG_STRUCT* ta_update_rej) { + bzero(msg, sizeof(LIBLTE_BYTE_MSG_STRUCT)); LIBLTE_ERROR_ENUM err = LIBLTE_ERROR_INVALID_INPUTS; uint8* msg_ptr = msg->msg; uint8 sec_hdr_type; @@ -7493,6 +7514,7 @@ LIBLTE_ERROR_ENUM liblte_mme_unpack_uplink_nas_transport_msg(LIBLTE_BYTE_MSG_STRUCT* msg, LIBLTE_MME_UPLINK_NAS_TRANSPORT_MSG_STRUCT* ul_nas_transport) { + bzero(msg, sizeof(LIBLTE_BYTE_MSG_STRUCT)); LIBLTE_ERROR_ENUM err = LIBLTE_ERROR_INVALID_INPUTS; uint8* msg_ptr = msg->msg; uint8 sec_hdr_type; @@ -8341,7 +8363,6 @@ LIBLTE_ERROR_ENUM liblte_mme_unpack_activate_default_eps_bearer_context_request_ uint8* msg_ptr = msg->msg; if (msg != NULL && act_def_eps_bearer_context_req != NULL) { - // EPS Bearer ID act_def_eps_bearer_context_req->eps_bearer_id = (*msg_ptr >> 4); msg_ptr++; @@ -9100,7 +9121,6 @@ srslte_mme_pack_esm_information_request_msg(LIBLTE_MME_ESM_INFORMATION_REQUEST_M uint8* msg_ptr = msg->msg; if (esm_info_req != NULL && msg != NULL) { - if (LIBLTE_MME_SECURITY_HDR_TYPE_PLAIN_NAS != sec_hdr_type) { // Protocol Discriminator and Security Header Type *msg_ptr = (sec_hdr_type << 4) | (LIBLTE_MME_PD_EPS_MOBILITY_MANAGEMENT); @@ -9151,7 +9171,6 @@ liblte_mme_pack_esm_information_request_msg(LIBLTE_MME_ESM_INFORMATION_REQUEST_M uint8* msg_ptr = msg->msg; if (esm_info_req != NULL && msg != NULL) { - // Protocol Discriminator and EPS Bearer ID *msg_ptr = (esm_info_req->eps_bearer_id << 4) | (LIBLTE_MME_PD_EPS_SESSION_MANAGEMENT); msg_ptr++; @@ -9177,6 +9196,7 @@ LIBLTE_ERROR_ENUM liblte_mme_unpack_esm_information_request_msg(LIBLTE_BYTE_MSG_STRUCT* msg, LIBLTE_MME_ESM_INFORMATION_REQUEST_MSG_STRUCT* esm_info_req) { + bzero(msg, sizeof(LIBLTE_BYTE_MSG_STRUCT)); LIBLTE_ERROR_ENUM err = LIBLTE_ERROR_INVALID_INPUTS; uint8* msg_ptr = msg->msg; uint8 sec_hdr_type; @@ -9278,12 +9298,12 @@ LIBLTE_ERROR_ENUM srslte_mme_unpack_esm_information_response_msg(LIBLTE_BYTE_MSG_STRUCT* msg, LIBLTE_MME_ESM_INFORMATION_RESPONSE_MSG_STRUCT* esm_info_resp) { + bzero(msg, sizeof(LIBLTE_BYTE_MSG_STRUCT)); LIBLTE_ERROR_ENUM err = LIBLTE_ERROR_INVALID_INPUTS; uint8* msg_ptr = msg->msg; uint8 sec_hdr_type; if (msg != NULL && esm_info_resp != NULL) { - // Security Header Type sec_hdr_type = (msg->msg[0] & 0xF0) >> 4; if (LIBLTE_MME_SECURITY_HDR_TYPE_PLAIN_NAS == sec_hdr_type) { @@ -9330,6 +9350,7 @@ LIBLTE_ERROR_ENUM liblte_mme_unpack_esm_information_response_msg(LIBLTE_BYTE_MSG_STRUCT* msg, LIBLTE_MME_ESM_INFORMATION_RESPONSE_MSG_STRUCT* esm_info_resp) { + bzero(msg, sizeof(LIBLTE_BYTE_MSG_STRUCT)); LIBLTE_ERROR_ENUM err = LIBLTE_ERROR_INVALID_INPUTS; uint8* msg_ptr = msg->msg; @@ -9411,6 +9432,7 @@ LIBLTE_ERROR_ENUM liblte_mme_pack_esm_status_msg(LIBLTE_MME_ESM_STATUS_MSG_STRUC LIBLTE_ERROR_ENUM liblte_mme_unpack_esm_status_msg(LIBLTE_BYTE_MSG_STRUCT* msg, LIBLTE_MME_ESM_STATUS_MSG_STRUCT* esm_status) { + bzero(msg, sizeof(LIBLTE_BYTE_MSG_STRUCT)); LIBLTE_ERROR_ENUM err = LIBLTE_ERROR_INVALID_INPUTS; uint8* msg_ptr = msg->msg; @@ -9851,6 +9873,7 @@ LIBLTE_ERROR_ENUM liblte_mme_pack_notification_msg(LIBLTE_MME_NOTIFICATION_MSG_S LIBLTE_ERROR_ENUM liblte_mme_unpack_notification_msg(LIBLTE_BYTE_MSG_STRUCT* msg, LIBLTE_MME_NOTIFICATION_MSG_STRUCT* notification) { + bzero(msg, sizeof(LIBLTE_BYTE_MSG_STRUCT)); LIBLTE_ERROR_ENUM err = LIBLTE_ERROR_INVALID_INPUTS; uint8* msg_ptr = msg->msg; @@ -9932,6 +9955,7 @@ LIBLTE_ERROR_ENUM liblte_mme_unpack_pdn_connectivity_reject_msg(LIBLTE_BYTE_MSG_STRUCT* msg, LIBLTE_MME_PDN_CONNECTIVITY_REJECT_MSG_STRUCT* pdn_con_rej) { + bzero(msg, sizeof(LIBLTE_BYTE_MSG_STRUCT)); LIBLTE_ERROR_ENUM err = LIBLTE_ERROR_INVALID_INPUTS; uint8* msg_ptr = msg->msg; @@ -10048,6 +10072,7 @@ LIBLTE_ERROR_ENUM liblte_mme_unpack_pdn_connectivity_request_msg(LIBLTE_BYTE_MSG_STRUCT* msg, LIBLTE_MME_PDN_CONNECTIVITY_REQUEST_MSG_STRUCT* pdn_con_req) { + bzero(msg, sizeof(LIBLTE_BYTE_MSG_STRUCT)); LIBLTE_ERROR_ENUM err = LIBLTE_ERROR_INVALID_INPUTS; uint8* msg_ptr = msg->msg; @@ -10159,6 +10184,7 @@ LIBLTE_ERROR_ENUM liblte_mme_unpack_pdn_disconnect_reject_msg(LIBLTE_BYTE_MSG_STRUCT* msg, LIBLTE_MME_PDN_DISCONNECT_REJECT_MSG_STRUCT* pdn_discon_rej) { + bzero(msg, sizeof(LIBLTE_BYTE_MSG_STRUCT)); LIBLTE_ERROR_ENUM err = LIBLTE_ERROR_INVALID_INPUTS; uint8* msg_ptr = msg->msg; @@ -10244,6 +10270,7 @@ LIBLTE_ERROR_ENUM liblte_mme_unpack_pdn_disconnect_request_msg(LIBLTE_BYTE_MSG_STRUCT* msg, LIBLTE_MME_PDN_DISCONNECT_REQUEST_MSG_STRUCT* pdn_discon_req) { + bzero(msg, sizeof(LIBLTE_BYTE_MSG_STRUCT)); LIBLTE_ERROR_ENUM err = LIBLTE_ERROR_INVALID_INPUTS; uint8* msg_ptr = msg->msg; diff --git a/lib/src/upper/gtpu.cc b/lib/src/upper/gtpu.cc index 488012270..223090023 100644 --- a/lib/src/upper/gtpu.cc +++ b/lib/src/upper/gtpu.cc @@ -82,6 +82,7 @@ bool gtpu_write_header(gtpu_header_t* header, srslte::byte_buffer_t* pdu, srslte *ptr = header->n_pdu; } else { header->n_pdu = 0; + *ptr = 0; } ptr++; // E diff --git a/srsenb/src/stack/upper/gtpu.cc b/srsenb/src/stack/upper/gtpu.cc index 3a46c526a..d6b67866e 100644 --- a/srsenb/src/stack/upper/gtpu.cc +++ b/srsenb/src/stack/upper/gtpu.cc @@ -475,12 +475,12 @@ void gtpu::end_marker(uint32_t teidin) gtpu_write_header(&header, pdu.get(), gtpu_log); - struct sockaddr_in servaddr; - servaddr.sin_family = AF_INET; - servaddr.sin_addr.s_addr = htonl(tunnel.spgw_addr); - servaddr.sin_port = htons(GTPU_PORT); + struct sockaddr_in servaddr = {}; + servaddr.sin_family = AF_INET; + servaddr.sin_addr.s_addr = htonl(tunnel.spgw_addr); + servaddr.sin_port = htons(GTPU_PORT); - sendto(fd, pdu->msg, 12, MSG_EOR, (struct sockaddr*)&servaddr, sizeof(struct sockaddr_in)); + sendto(fd, pdu->msg, pdu->N_bytes, MSG_EOR, (struct sockaddr*)&servaddr, sizeof(struct sockaddr_in)); } /**************************************************************************** diff --git a/srsenb/test/upper/gtpu_test.cc b/srsenb/test/upper/gtpu_test.cc index e6256eaf1..438832f76 100644 --- a/srsenb/test/upper/gtpu_test.cc +++ b/srsenb/test/upper/gtpu_test.cc @@ -73,15 +73,13 @@ srslte::unique_byte_buffer_t encode_ipv4_packet(srslte::span data, { srslte::unique_byte_buffer_t pdu = srslte::make_byte_buffer(); - struct iphdr ip_pkt; - ip_pkt.version = 4; - ip_pkt.tot_len = htons(data.size() + sizeof(struct iphdr)); - ip_pkt.saddr = src_sockaddr_in.sin_addr.s_addr; - ip_pkt.daddr = dest_sockaddr_in.sin_addr.s_addr; - memcpy(pdu->msg, &ip_pkt, sizeof(struct iphdr)); - pdu->N_bytes = sizeof(struct iphdr); - memcpy(pdu->msg + pdu->N_bytes, data.data(), data.size()); - pdu->N_bytes += data.size(); + struct iphdr ip_pkt = {}; + ip_pkt.version = 4; + ip_pkt.tot_len = htons(data.size() + sizeof(struct iphdr)); + ip_pkt.saddr = src_sockaddr_in.sin_addr.s_addr; + ip_pkt.daddr = dest_sockaddr_in.sin_addr.s_addr; + pdu->append_bytes((uint8_t*)&ip_pkt, sizeof(struct iphdr)); + pdu->append_bytes(data.data(), data.size()); return pdu; } @@ -94,11 +92,11 @@ srslte::unique_byte_buffer_t encode_gtpu_packet(srslte::span data, srslte::unique_byte_buffer_t pdu = encode_ipv4_packet(data, teid, src_sockaddr_in, dest_sockaddr_in); // header - srslte::gtpu_header_t header; - header.flags = GTPU_FLAGS_VERSION_V1 | GTPU_FLAGS_GTP_PROTOCOL; - header.message_type = GTPU_MSG_DATA_PDU; - header.length = pdu->N_bytes; - header.teid = teid; + srslte::gtpu_header_t header = {}; + header.flags = GTPU_FLAGS_VERSION_V1 | GTPU_FLAGS_GTP_PROTOCOL; + header.message_type = GTPU_MSG_DATA_PDU; + header.length = pdu->N_bytes; + header.teid = teid; gtpu_write_header(&header, pdu.get(), srslte::log_ref("GTPU")); return pdu; @@ -109,11 +107,11 @@ srslte::unique_byte_buffer_t encode_end_marker(uint32_t teid) srslte::unique_byte_buffer_t pdu = srslte::make_byte_buffer(); // header - srslte::gtpu_header_t header; - header.flags = GTPU_FLAGS_VERSION_V1 | GTPU_FLAGS_GTP_PROTOCOL; - header.message_type = GTPU_MSG_END_MARKER; - header.length = 0; - header.teid = teid; + srslte::gtpu_header_t header = {}; + header.flags = GTPU_FLAGS_VERSION_V1 | GTPU_FLAGS_GTP_PROTOCOL; + header.message_type = GTPU_MSG_END_MARKER; + header.length = 0; + header.teid = teid; gtpu_write_header(&header, pdu.get(), srslte::log_ref("GTPU")); return pdu; @@ -132,7 +130,7 @@ int test_gtpu_direct_tunneling() uint32_t drb1 = 3; uint32_t sgw_teidout1 = 1, sgw_teidout2 = 2; const char * sgw_addr_str = "127.0.0.1", *senb_addr_str = "127.0.1.1", *tenb_addr_str = "127.0.1.2"; - struct sockaddr_in senb_sockaddr, sgw_sockaddr, tenb_sockaddr; + struct sockaddr_in senb_sockaddr = {}, sgw_sockaddr = {}, tenb_sockaddr = {}; srslte::net_utils::set_sockaddr(&senb_sockaddr, senb_addr_str, GTPU_PORT); srslte::net_utils::set_sockaddr(&sgw_sockaddr, sgw_addr_str, GTPU_PORT); srslte::net_utils::set_sockaddr(&tenb_sockaddr, tenb_addr_str, GTPU_PORT); @@ -158,8 +156,6 @@ int test_gtpu_direct_tunneling() uint32_t tenb_teid_in = tenb_gtpu.add_bearer(rnti2, drb1, sgw_addr, sgw_teidout2); // Buffer PDUs in SeNB PDCP - pdu = srslte::make_byte_buffer(); - pdu->N_bytes = 10; for (size_t sn = 6; sn < 10; ++sn) { std::vector data(10, sn); pdu = encode_ipv4_packet(data, senb_teid_in, sgw_sockaddr, senb_sockaddr);