gprs_bssgp_pcu: ensure only known BVCI can be resetted by the SGSN Related: OS#3879 Change-Id: I04e36ce4a29e51d85e67a0d3a81aa0e1eb9e9c08

commit: 82519264ca9b93613ca8d815491a0295a94c0406 [log] [tgz]
author: Alexander Couzens <lynxis@fe80.eu> Mon Feb 22 02:08:18 2021 +0100
committer: laforge <laforge@osmocom.org> Tue Mar 23 17:47:22 2021 +0000
tree: 101c68545e54e3547406ceffcb9403c13462904d
parent: d7f0558b5c613da210e332e958e77d6b6c52c044 [diff] [blame]
diff --git a/src/gprs_bssgp_pcu.c b/src/gprs_bssgp_pcu.c
index fd3f0db..4170a66 100644
--- a/src/gprs_bssgp_pcu.c
+++ b/src/gprs_bssgp_pcu.c

@@ -415,6 +415,7 @@
 	struct tlv_parsed tp;
 	enum bssgp_pdu_type pdu_type = (enum bssgp_pdu_type) bgph->pdu_type;
 	uint16_t ns_bvci = msgb_bvci(msg), nsei = msgb_nsei(msg);
+	uint16_t bvci;
 	int data_len;
 	int rc = 0;
 	struct bssgp_bvc_ctx *bctx;
@@ -456,6 +457,17 @@
 	}
 
 	if (pdu_type == BSSGP_PDUT_BVC_RESET) {
+		if (ns_bvci != BVCI_SIGNALLING || !TLVP_PRESENT(&tp, BSSGP_IE_BVCI)) {
+			LOGP(DBSSGP, LOGL_ERROR, "Rx an invalid BVC-RESET %s\n", msgb_hexdump(msg));
+			return bssgp_tx_status(BSSGP_CAUSE_INV_MAND_INF, NULL, msg);
+		}
+
+		bvci = tlvp_val16be(&tp, BSSGP_IE_BVCI);
+		if (bvci != BVCI_SIGNALLING && bvci != the_pcu->bssgp.bctx->bvci) {
+			LOGP(DBSSGP, LOGL_ERROR, "Rx BVC-RESET for an unknown BVCI %d\n", bvci);
+			return bssgp_tx_status(BSSGP_CAUSE_UNKNOWN_BVCI, &bvci, msg);
+		}
+
 		return bssgp_rcvmsg(msg);
 	}
commit	82519264ca9b93613ca8d815491a0295a94c0406	[log] [tgz]
author	Alexander Couzens <lynxis@fe80.eu>	Mon Feb 22 02:08:18 2021 +0100
committer	laforge <laforge@osmocom.org>	Tue Mar 23 17:47:22 2021 +0000
tree	101c68545e54e3547406ceffcb9403c13462904d
parent	d7f0558b5c613da210e332e958e77d6b6c52c044 [diff] [blame]