nat: Fix authentication by-pass using shorter tokens
The token was compared with the configured one but only up to a
user supplied length. Compare the token sizes and then use memcmp
for the actual comparison to make sure to compare the right ammount
of characters.
There is no unit-test but there should be one.
diff --git a/openbsc/src/osmo-bsc_nat/bsc_nat.c b/openbsc/src/osmo-bsc_nat/bsc_nat.c
index dd06a70..792d33c 100644
--- a/openbsc/src/osmo-bsc_nat/bsc_nat.c
+++ b/openbsc/src/osmo-bsc_nat/bsc_nat.c
@@ -943,8 +943,26 @@
return;
}
+ if (len <= 0) {
+ LOGP(DNAT, LOGL_ERROR, "Token with length zero on fd: %d\n",
+ bsc->write_queue.bfd.fd);
+ return;
+ }
+
+ if (token[len - 1] != '\0') {
+ LOGP(DNAT, LOGL_ERROR, "Token not null terminated on fd: %d\n",
+ bsc->write_queue.bfd.fd);
+ return;
+ }
+
llist_for_each_entry(conf, &bsc->nat->bsc_configs, entry) {
- if (strncmp(conf->token, token, len) == 0) {
+ /*
+ * Add the '\0' of the token for the memcmp, the IPA messages
+ * for some reason added null termination.
+ */
+ const int token_len = strlen(conf->token) + 1;
+
+ if (token_len == len && memcmp(conf->token, token, token_len) == 0) {
rate_ctr_inc(&conf->stats.ctrg->ctr[BCFG_CTR_NET_RECONN]);
bsc->authenticated = 1;
bsc->cfg = conf;
@@ -956,7 +974,7 @@
}
}
- LOGP(DNAT, LOGL_ERROR, "No bsc found for token %s on fd: %d.\n", token,
+ LOGP(DNAT, LOGL_ERROR, "No bsc found for token '%s' on fd: %d.\n", token,
bsc->write_queue.bfd.fd);
}