Actions
Bug #4049
closedgsm48_decode_bcd_number2() can truncate the decoded number without -ENOSPC
Start date:
06/06/2019
Due date:
% Done:
100%
Spec Reference:
Description
I've come across this while writing a test for the Check IMEI GSUP message. The IMEI gets bcd encoded, and OsmoHLR is supposed to verify the length before accepting the IMEI.
If the encoded input is longer than the output buffer by one or two bytes, gsm48_decode_bcd_number2() cuts off the overflowing bytes with \0 without returning -ENOSPC.
Here's a reproducer. I'm creating a patch for a proper fix and regression test.
#include <stdio.h> #include <osmocom/gsm/gsm48_ie.h> #include <osmocom/gsm/protocol/gsm_23_003.h> int main() { uint8_t bcd_lv[100]; const char *input = "111456789012345"; char output[GSM23003_IMEI_NUM_DIGITS_NO_CHK+1] = {0}; int len; int ret; printf("input: %s\n", input); // encode len = gsm48_encode_bcd_number(bcd_lv, sizeof(bcd_lv), 0, input); // decode ret = gsm48_decode_bcd_number2(output, sizeof(output), bcd_lv, len, 0); printf("ret: %i\n", ret); printf("output: %s\n", output); printf("encoded: %s\n", osmo_hexdump(bcd_lv, len)); printf("encoded_len: %i\n", len); return 0; }
./test input: 111456789012345 ret: 0 output: 11145678901234 encoded: 08 11 41 65 87 09 21 43 f5 encoded_len: 9
Updated by osmith almost 5 years ago
- Status changed from New to In Progress
- % Done changed from 0 to 50
Updated by osmith almost 5 years ago
- % Done changed from 50 to 90
Fix submitted: https://gerrit.osmocom.org/c/libosmocore/+/14397
Updated by osmith almost 5 years ago
- Status changed from In Progress to Resolved
- % Done changed from 90 to 100
Actions