Light

ervinsk / gtp-rs Goto Github PK

View Code? Open in Web Editor NEW

16.0 1.0 1.0 1.63 MB

Pure Rust implementation of 3GPP GTP (GPRS Tunneling Protocol) - GTPv1 and GTPv2

Rust 100.00%

gprs gtp gtpc gtpu lte 3gpp epc gtpv2 rust protocol

gtp-rs's Introduction

👋 Hi, I’m @ErvinsK
👀 I’m interested in building cloud-native solution in the telecommunications and IoT domains!
🌱 I’m currently trying to master Rust.
💞️ I’m looking to collaborate on projects related to telecommunications, cloud-native network functions, 2G/3G/4G/5G and even 6G :)
📫 How to reach me over the e-mail or via GitHub!

gtp-rs's People

Contributors

Stargazers

Watchers

Forkers

efellowsbg

gtp-rs's Issues

Infinite loop finded in gtvp1::gtpu when unmarshalling with an UDPPort length at zero.

Hello ! I found an infinite loop in your library. Here is some information on how to reproduce it :

versions

Debian GNU/Linux 11 (bullseye)
table-x86_64-unknown-linux-gnu unchanged - rustc 1.72.0 (5680fa18f 2023-08-23)

To reproduce :

we clone the repository :
git clone https://github.com/ErvinsK/gtp-rs.git
we add this main.rs to gtp-rs/src :

use ::gtp_rs::gtpv1::gtpu::*;

fn main() {

    // we create the extension_header
    let mut ext_header = UDPPort::default();
    ext_header.length = 0; // <-- the infinite loop is probably due to the length being 0
     
    // we add it to the header
    let mut header = Gtpv1Header::default();
    header.extension_headers = Some(vec![ExtensionHeader::UDPPort(ext_header)]);
 
    let mut array:Vec<u8> = vec![];
    header.marshal(&mut array);
    let _ = Gtpv1Header::unmarshal(&array); // <-- the infinite-loop happen when we try to unmarshal
    
}

we build and run :
cargo build && cargo run

Panic (addition overflow) when trying to unmarshalling ErrorIndication GTPU message

We (@FuzzingLabs) found an overflow in gtp-rs making the library to crash:

thread 'main' panicked at 'attempt to add with overflow', /home/fuzzinglabs/gtp-rs/src/gtpv1/utils.rs:163:5

Your Environment

rustc 1.71.1 (eb26296b5 2023-08-03)
Ubuntu 20.04

Steps to reproduce

Download:

git clone [email protected]:ErvinsK/gtp-rs.git

Testing program:

main.rs:

use ::gtp_rs::gtpv1::gtpu::*;

fn main() {
    let mut buffer: Vec<u8> = vec![];
    let mut message = ErrorIndication::default();

    message.teid_data = Teid {
        t: 255,
        teid: 4294967295,
    };

    message.marshal(&mut buffer);
    let _result = ErrorIndication::unmarshal(&buffer);
}

Cargo.toml:

[package]
name = "gtp_rs_overflow"
version = "0.1.0"
edition = "2021"

[dependencies]
gtp-rs = { path = "gtp-rs" }

Build and run:

cargo build
cargo run

Root cause

gtp-rs/src/gtpv1/utils.rs

Line 163 in 313f7af

(length + 3) as usize <= buffer.len()

Detailed behavior (RUST_BACKTRACE=1)

thread 'main' panicked at 'attempt to add with overflow', /home/fuzzinglabs/gtp-rs/src/gtpv1/utils.rs:163:5
stack backtrace:
   0: rust_begin_unwind
             at /rustc/eb26296b556cef10fb713a38f3d16b9886080f26/library/std/src/panicking.rs:593:5
   1: core::panicking::panic_fmt
             at /rustc/eb26296b556cef10fb713a38f3d16b9886080f26/library/core/src/panicking.rs:67:14
   2: core::panicking::panic
             at /rustc/eb26296b556cef10fb713a38f3d16b9886080f26/library/core/src/panicking.rs:117:5
   3: gtp_rs::gtpv1::utils::check_tlv_ie_buffer
             at /home/fuzzinglabs/gtp-rs/src/gtpv1/utils.rs:163:5
   4: <gtp_rs::gtpv1::gtpu::messages::ies::privateextension::PrivateExtension as gtp_rs::gtpv1::gtpu::messages::ies::commons::IEs>::unmarshal
             at /home/fuzzinglabs/gtp-rs/src/gtpv1/gtpu/messages/ies/privateextension.rs:47:16
   5: <gtp_rs::gtpv1::gtpu::messages::errorindication::ErrorIndication as gtp_rs::gtpv1::gtpu::messages::commons::Messages>::unmarshal
             at /home/fuzzinglabs/gtp-rs/src/gtpv1/gtpu/messages/errorindication.rs:102:52
   6: gtp_rs_fuzzing::main
             at ./src/main.rs:13:19
   7: core::ops::function::FnOnce::call_once
             at /rustc/eb26296b556cef10fb713a38f3d16b9886080f26/library/core/src/ops/function.rs:250:5
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.

Unmarshal tests for GTPv1 are failing

From commit 662a87e, 829 tests pass and 20 fail.
All fails are GTPv1 tests, and most are due to HeaderInvalidLength errors:

failures:
    gtpv1::gtpc::header::test_gtpv1_hdr_with_sqn_unmarshal
    gtpv1::gtpc::messages::createpdpctxreq::create_pdp_ctx_missing_mandatory_ie_unmarshal_test
    gtpv1::gtpc::messages::createpdpctxreq::create_pdp_ctx_unmarshal_test
    gtpv1::gtpc::messages::createpdpctxreq::create_pdp_ctx_unmarshal_with_linked_nsapi_test
    gtpv1::gtpc::messages::deletepdpctxreq::delete_pdp_ctx_req_missing_mandatory_ie_unmarshal_test
    gtpv1::gtpc::messages::deletepdpctxresp::delete_pdp_ctx_resp_unmarshal_test
    gtpv1::gtpc::messages::echoreq::test_echo_req_unmarshal
    gtpv1::gtpc::messages::echoresp::test_echo_resp_unmarshal
    gtpv1::gtpc::messages::echoresp::test_echo_resp_with_incorrect_mandatory_ie_unmarshal
    gtpv1::gtpc::messages::echoresp::test_echo_resp_without_mandatory_ie_unmarshal
    gtpv1::gtpc::messages::ies::apn::apn_ie_unmarshal_test
    gtpv1::gtpc::messages::initiatepdpctxactivationresp::init_pdp_ctx_activ_resp_missing_mandatory_ie_unmarshal_test
    gtpv1::gtpc::messages::initiatepdpctxactivationresp::init_pdp_ctx_activ_resp_unmarshal_test
    gtpv1::gtpc::messages::pdunotificationrejectreq::pdu_notification_reject_req_unmarshal_test
    gtpv1::gtpc::messages::pdunotificationrejectresp::pdu_notification_reject_resp_unmarshal_test
    gtpv1::gtpc::messages::pdunotificationreq::pdu_notification_req_unmarshal_test
    gtpv1::gtpc::messages::pdunotificationreq::pdu_notification_req_wrong_ie_order_unmarshal_test
    gtpv1::gtpc::messages::pdunotificationresp::pdu_notification_resp_unmarshal_test
    gtpv1::gtpc::messages::supportedexthdrnotification::test_supported_ext_hdr_notification_resp_without_mandatory_ie_unmarshal
    gtpv1::gtpc::messages::versionnotsupported::test_version_not_supported_unmarshal

test result: FAILED. 829 passed; 20 failed; 0 ignored; 0 measured; 0 filtered out; finished in 0.07s

We also hit the same HeaderInvalidLength error when trying to unmarshal a real (captured) gtpv1::EchoResponse message.

I suspect the header unmarshal code is wrong. Do you know if the test gtpv1::gtpc::messages::echoresp::test_echo_resp_unmarshal has ever passed?

Additionally,

Are there plans to start versioning the crate properly (even before a 1.0 release)?
How do you feel about adding a workflow for running the tests and formatting with GH Actions?

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.