Project

General

Profile

Actions

Bug #4049

closed

gsm48_decode_bcd_number2() can truncate the decoded number without -ENOSPC

Added by osmith almost 5 years ago. Updated almost 5 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
-
Target version:
-
Start date:
06/06/2019
Due date:
% Done:

100%

Spec Reference:

Description

I've come across this while writing a test for the Check IMEI GSUP message. The IMEI gets bcd encoded, and OsmoHLR is supposed to verify the length before accepting the IMEI.

If the encoded input is longer than the output buffer by one or two bytes, gsm48_decode_bcd_number2() cuts off the overflowing bytes with \0 without returning -ENOSPC.

Here's a reproducer. I'm creating a patch for a proper fix and regression test.

#include <stdio.h>
#include <osmocom/gsm/gsm48_ie.h>
#include <osmocom/gsm/protocol/gsm_23_003.h>

int main()
{
    uint8_t bcd_lv[100];
    const char *input = "111456789012345";
    char output[GSM23003_IMEI_NUM_DIGITS_NO_CHK+1] = {0};
    int len;
    int ret;

    printf("input:   %s\n", input);

    // encode
    len = gsm48_encode_bcd_number(bcd_lv, sizeof(bcd_lv), 0, input);

    // decode
    ret = gsm48_decode_bcd_number2(output, sizeof(output), bcd_lv, len, 0);
    printf("ret: %i\n", ret);
    printf("output:  %s\n", output);

    printf("encoded: %s\n", osmo_hexdump(bcd_lv, len));
    printf("encoded_len: %i\n", len);
    return 0;
}

./test
input:   111456789012345
ret: 0
output:  11145678901234
encoded: 08 11 41 65 87 09 21 43 f5 
encoded_len: 9
Actions #1

Updated by osmith almost 5 years ago

  • Status changed from New to In Progress
  • % Done changed from 0 to 50
Actions #2

Updated by osmith almost 5 years ago

  • % Done changed from 50 to 90
Actions #3

Updated by osmith almost 5 years ago

  • Status changed from In Progress to Resolved
  • % Done changed from 90 to 100
Actions

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)