NR UE seg fault in rlc_BearerConfig->rlc_Config and spCellConfigCommon->physCellId
Hi, Similar to #1027, there is two seg fault that can be triggered through a crafted DL-DCCH-Message in NR UE.
The first issue is in the file 2025.w45, openair2/LAYER2/nr_rlc/nr_rlc_oai_api.c. The code directly access the field rlc-Config.
void nr_rlc_add_drb(int ue_id, int drb_id, const NR_RLC_BearerConfig_t *rlc_BearerConfig)
{
switch (rlc_BearerConfig->rlc_Config->present) {
case NR_RLC_Config_PR_am:
add_drb_am(ue_id, drb_id, rlc_BearerConfig);
break;
case NR_RLC_Config_PR_um_Bi_Directional:
add_drb_um(ue_id, drb_id, rlc_BearerConfig);
break;
default:
LOG_E(RLC, "Fatal: unhandled DRB type\n");
exit(1);
}
LOG_I(RLC, "Added DRB to UE %d\n", ue_id);
}However, in ASN.1 definition, it says
RLC-BearerConfig ::= SEQUENCE {
-- emitted fields
rlc-Config RLC-Config OPTIONAL, -- Cond LCH-Setup
mac-LogicalChannelConfig LogicalChannelConfig OPTIONAL, -- Cond LCH-Setup
...,
-- emitted fields
}where rlc-config is an optional field, so it might not be present. And rlc_BearerConfig->rlc_Config->present would cause an assertion failure.
The input message is:
"c1": {
"rrcReconfiguration": {
"rrc-TransactionIdentifier": 0,
"criticalExtensions": {
"rrcReconfiguration": {
"nonCriticalExtension": {
"masterCellGroup": "796AC6D0",
"dedicatedSystemInformationDelivery": ""
}
}
}
}
}The second issue occurs in
openairinterface5g/openair2/RRC/NR_UE/rrc_UE.c:1713
1713 rrc->phyCellID = *reconfigurationWithSync->spCellConfigCommon->physCellId;In the ASN.1 definition of ServingCellConfigCommon is
ServingCellConfigCommon ::= SEQUENCE {
physCellId PhysCellId OPTIONAL, -- Cond HOAndServCellAdd,
downlinkConfigCommon DownlinkConfigCommon OPTIONAL, -- Cond HOAndServCellAdd
-- emitted
}where physCellId is an optional field, directly dereferencing it would cause a seg fault.
The encoding of the MasterCellGroup is
96905B479484C745928D0A6560059F06D43AB83690F19AF7218B72736FB60E5B5079DF1DF3FC5589E7799CB83326BE4A4974F11013AF2938