[SECURITY] Fix GTPIE parsing DoS
This is taken from http://sourceforge.net/tracker/index.php?func=detail&aid=1811511&group_id=68956&atid=522957 and http://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg402969.html and addresses a DoS:
The problem lies in the parsing of information elements in GTP messages, which
is implemented in the gtpie_decaps function of gtp/gtpie.c file.
The implementation has a bug that does not check if there are too many
information elements in the message thus causing the software to loop
infinitely in the while-loop.
In addition, handling routine for the error situation had to be implemented
outside the while-loop.
diff --git a/gtp/gtpie.c b/gtp/gtpie.c
index 55d3f32..a62d02c 100644
--- a/gtp/gtpie.c
+++ b/gtp/gtpie.c
@@ -188,7 +188,7 @@
memset(ie, 0, 4 * GTPIE_SIZE);
- while (p<end) {
+ while ((p<end) && (j<GTPIE_SIZE)) {
if (GTPIE_DEBUG) {
printf("The packet looks like this:\n");
for( i=0; i<(end-p); i++) {
@@ -346,6 +346,10 @@
(unsigned long) p, (unsigned long) end);
return 0; /* We landed at the end of the packet: OK */
}
+ else if (!(j<GTPIE_SIZE)) {
+ if (GTPIE_DEBUG) printf("GTPIE too many elements.\n");
+ return EOF; /* We received too many information elements */
+ }
else {
if (GTPIE_DEBUG) printf("GTPIE exceeded end of packet. %lx %lx\n",
(unsigned long) p, (unsigned long) end);