gprs: Clear GSUP message structures before decoding
Currently the message structure is not cleared before the message is
parsed which can cause information leaking between messages if the
same gprs_gsup_message object is used. Especially list elements (auth
tuples and pdp info) are not replaced by an IE, but the IE is
appended.
This patch uses the assignment operator to clear gprs_gsup_message,
gsm_auth_tuple, and gprs_gsup_pdp_info before using them. This also
replaces the use of memcpy of the latter.
Sponsored-by: On-Waves ehf
diff --git a/openbsc/src/gprs/gprs_gsup_messages.c b/openbsc/src/gprs/gprs_gsup_messages.c
index aa3d55e..f47ad55 100644
--- a/openbsc/src/gprs/gprs_gsup_messages.c
+++ b/openbsc/src/gprs/gprs_gsup_messages.c
@@ -172,6 +172,9 @@
size_t value_len;
static const struct gprs_gsup_pdp_info empty_pdp_info = {0};
static const struct gsm_auth_tuple empty_auth_info = {0};
+ static const struct gprs_gsup_message empty_gsup_message = {0};
+
+ *gsup_msg = empty_gsup_message;
/* generic part */
rc = gprs_shift_v_fixed(&data, &data_len, 1, &value);
@@ -198,9 +201,6 @@
gsm48_decode_bcd_number(gsup_msg->imsi, sizeof(gsup_msg->imsi),
value - 1, 0);
- gsup_msg->num_pdp_infos = 0;
- gsup_msg->num_auth_tuples = 0;
-
/* specific parts */
while (data_len > 0) {
enum gprs_gsup_iei iei;
@@ -253,7 +253,7 @@
return -GMM_CAUSE_COND_IE_ERR;
}
- memcpy(&pdp_info, &empty_pdp_info, sizeof(pdp_info));
+ pdp_info = empty_pdp_info;
if (iei == GPRS_GSUP_PDP_INFO_IE) {
rc = decode_pdp_info(value, value_len, &pdp_info);
@@ -277,7 +277,7 @@
return -GMM_CAUSE_INV_MAND_INFO;
}
- memcpy(&auth_info, &empty_auth_info, sizeof(auth_info));
+ auth_info = empty_auth_info;
auth_info.key_seq = gsup_msg->num_auth_tuples;
rc = decode_auth_info(value, value_len, &auth_info);