-
Bug
-
Resolution: Unresolved
-
Medium
-
None
-
None
-
None
Hello, during my testing, I discovered two instances in the e2mgr where missing array size checks could potentially lead to crashes.
Missing Check in RicServiceUpdateHandler
The logs related to the first vulnerable site are as follows:
{"ts":1706106928406,"crit":"INFO","id":"e2mgr","mdc":{"CONTAINER_NAME":"","HOST_NAME":"","PID":"6","POD_NAME":"","SERVICE_NAME":"","SYSTEM_NAME":"","e2mgr":"0.2.2","time":"2024-01-24T14:35:28Z"},"msg":"[RMR -> E2 Manager] #rmrCgoApi.RecvMsg - message { MType: 12030, Len: 228, Meid: \"gnb_734_373_16b8cef1\", Xaction: &\" 651467592275\", Payload: [&31302e3130312e3135312e3136363a33383030307c3c453241502d5044553e3c696e6974696174696e674d6573736167653e3c70726f636564757265436f64653e373c2f70726f636564757265436f64653e3c637269746963616c6974793e3c69676e6f72652f3e3c2f637269746963616c6974793e3c76616c75653e3c524943736572766963655570646174653e3c70726f746f636f6c4945733e3c2f70726f746f636f6c4945733e3c2f524943736572766963655570646174653e3c2f76616c75653e3c2f696e6974696174696e674d6573736167653e3c2f453241502d5044553e] } has been received for transaction id: 651467592275"}{"ts":1706106928406,"crit":"INFO","id":"e2mgr","mdc":{"CONTAINER_NAME":"","HOST_NAME":"","PID":"6","POD_NAME":"","SERVICE_NAME":"","SYSTEM_NAME":"","e2mgr":"0.2.2","time":"2024-01-24T14:35:28Z"},"msg":"#RicServiceUpdateHandler.Handle - RAN name: gnb_734_373_16b8cef1 - received RIC_SERVICE_UPDATE. Payload: 10.101.151.166:38000|<E2AP-PDU><initiatingMessage><procedureCode>7</procedureCode><criticality><ignore/></criticality><value><RICserviceUpdate><protocolIEs></protocolIEs></RICserviceUpdate></value></initiatingMessage></E2AP-PDU>"}{"ts":1706106928406,"crit":"INFO","id":"e2mgr","mdc":{"CONTAINER_NAME":"","HOST_NAME":"","PID":"6","POD_NAME":"","SERVICE_NAME":"","SYSTEM_NAME":"","e2mgr":"0.2.2","time":"2024-01-24T14:35:28Z"},"msg":"#RnibDataService.GetNodeb - RAN name: gnb_734_373_16b8cef1, connection status: CONNECTED, associated E2T: 10.101.151.166:38000, setup from network: true"}{"ts":1706106928406,"crit":"INFO","id":"e2mgr","mdc":{"CONTAINER_NAME":"","HOST_NAME":"","PID":"6","POD_NAME":"","SERVICE_NAME":"","SYSTEM_NAME":"","e2mgr":"0.2.2","time":"2024-01-24T14:35:28Z"},"msg":"#RicServiceUpdateHandler.Handle - RIC_SERVICE_UPDATE has been parsed successfully &{XMLName:{Space: Local:} Text: E2APPDU:{XMLName:{Space: Local:E2AP-PDU} Text: InitiatingMessage:{Text: ProcedureCode:7 Criticality:{Text: Reject:} Value:{Text: RICServiceUpdate:{Text: ProtocolIEs:{Text: RICServiceUpdateIEs:[]}}}}}}"}{"ts":1706106928406,"crit":"INFO","id":"e2mgr","mdc":{"CONTAINER_NAME":"","HOST_NAME":"","PID":"6","POD_NAME":"","SERVICE_NAME":"","SYSTEM_NAME":"","e2mgr":"0.2.2","time":"2024-01-24T14:35:28Z"},"msg":"#ranListManagerInstance.UpdateNbIdentities completed successfully for 1 nbIdentities of nodetype - GNB"}panic: runtime error: index out of range [0] with length 0
goroutine 251 [running]:e2mgr/handlers/rmrmsghandlers.(*RicServiceUpdateHandler).Handle(0xc000244de0, 0xc0002f23f0) /opt/E2Manager/handlers/rmrmsghandlers/ric_service_update_handler.go:107 +0x96acreated by e2mgr/managers/notificationmanager.NotificationManager.HandleMessage /opt/E2Manager/managers/notificationmanager/notification_manager.go:53 +0x2db
Specifically, in /E2Manager/handlers/rmrmsghandlers/ric_service_update_handler.go, the function Handle does not check the size of RICServiceUpdateIEs before using it, potentially leading to an index out-of-range panic.
func (h *RicServiceUpdateHandler) Handle(request *models.NotificationRequest) {
// ...
updateAck := models.NewServiceUpdateAck(ackFunctionIds, ricServiceUpdate.E2APPDU.InitiatingMessage.Value.RICServiceUpdate.ProtocolIEs.RICServiceUpdateIEs[0].Value.TransactionID)
// ...
}
Missing Array Size Check in E2nodeConfigUpdateNotificationHandler
The logs related to the second vulnerable site are as follows:
{"ts":1706066606170,"crit":"INFO","id":"e2mgr","mdc":{"CONTAINER_NAME":"","HOST_NAME":"","PID":"7","POD_NAME":"","SERVICE_NAME":"","SYSTEM_NAME":"","e2mgr":"0.2.2","time":"2024-01-24T03:23:26Z"},"msg":"[RMR -> E2 Manager] #rmrCgoApi.RecvMsg - message { MType: 12070, Len: 246, Meid: \"gnb_734_373_16b8cef1\", Xaction: &\" 151628778772\", Payload: [&31302e3130302e3133322e32353a33383030307c3c453241502d5044553e3c696e6974696174696e674d6573736167653e3c70726f636564757265436f64653e31303c2f70726f636564757265436f64653e3c637269746963616c6974793e3c72656a6563742f3e3c2f637269746963616c6974793e3c76616c75653e3c45326e6f6465436f6e66696775726174696f6e5570646174653e3c70726f746f636f6c4945733e3c2f70726f746f636f6c4945733e3c2f45326e6f6465436f6e66696775726174696f6e5570646174653e3c2f76616c75653e3c2f696e6974696174696e674d6573736167653e3c2f453241502d5044553e] } has been received for transaction id: 151628778772"}{"ts":1706066606172,"crit":"INFO","id":"e2mgr","mdc":{"CONTAINER_NAME":"","HOST_NAME":"","PID":"7","POD_NAME":"","SERVICE_NAME":"","SYSTEM_NAME":"","e2mgr":"0.2.2","time":"2024-01-24T03:23:26Z"},"msg":"#E2nodeConfigUpdateNotificationHandler.Handle - RAN name: gnb_734_373_16b8cef1 - received E2_Config_Update. Payload: 31302e3130302e3133322e32353a33383030307c3c453241502d5044553e3c696e6974696174696e674d6573736167653e3c70726f636564757265436f64653e31303c2f70726f636564757265436f64653e3c637269746963616c6974793e3c72656a6563742f3e3c2f637269746963616c6974793e3c76616c75653e3c45326e6f6465436f6e66696775726174696f6e5570646174653e3c70726f746f636f6c4945733e3c2f70726f746f636f6c4945733e3c2f45326e6f6465436f6e66696775726174696f6e5570646174653e3c2f76616c75653e3c2f696e6974696174696e674d6573736167653e3c2f453241502d5044553e"}{"ts":1706066606183,"crit":"INFO","id":"e2mgr","mdc":{"CONTAINER_NAME":"","HOST_NAME":"","PID":"7","POD_NAME":"","SERVICE_NAME":"","SYSTEM_NAME":"","e2mgr":"0.2.2","time":"2024-01-24T03:23:26Z"},"msg":"#RnibDataService.GetNodeb - RAN name: gnb_734_373_16b8cef1, connection status: CONNECTED, associated E2T: 10.100.132.25:38000, setup from network: true"}{"ts":1706066606185,"crit":"INFO","id":"e2mgr","mdc":{"CONTAINER_NAME":"","HOST_NAME":"","PID":"7","POD_NAME":"","SERVICE_NAME":"","SYSTEM_NAME":"","e2mgr":"0.2.2","time":"2024-01-24T03:23:26Z"},"msg":"#RnibDataService.UpdateNodebInfoAndPublish - nodebInfo: ran_name:\"gnb_734_373_16b8cef1\" connection_status:CONNECTED global_nb_id:{plmn_id:\"373437\" nb_id:\"10110101110001100111011110001\"} node_type:GNB gnb:{ran_functions:{ran_function_definition:\"68304F52414E2D4532534D2D4B504D0000054F494431323305004B504D204D6F6E69746F7201010001010700506572696F646963205265706F7274010110010109004532204E6F6465204D6561737572656D656E740101000844604452422E526C635364755472616E736D6974746564566F6C756D65444C5F46696C74657280010044604452422E526C635364755472616E736D6974746564566F6C756D65554C5F46696C74657200000043604452422E50657244617461566F6C756D65444C446973742E42696E2000000143404452422E50657244617461566F6C756D65554C446973742E42696E00000243404452422E526C635061636B657444726F7052617465444C4469737400000342E04452422E5061636B65744C6F737352617465554C4469737400000442204C314D2E444C2D53532D525352502E53534200000542204C314D2E444C2D53532D53494E522E53534200000641C04C314D2E554C2D5352532D525352500000070101010100010211004532204E6F6465204D6561737572656D656E7420666F7220612073696E676C652055450102000844604452422E526C635364755472616E736D6974746564566F6C756D65444C5F46696C74657280010044604452422E526C635364755472616E736D6974746564566F6C756D65554C5F46696C74657200000043604452422E50657244617461566F6C756D65444C446973742E42696E2000000143404452422E50657244617461566F6C756D65554C446973742E42696E00000243404452422E526C635061636B657444726F7052617465444C4469737400000342E04452422E5061636B65744C6F737352617465554C4469737400000442204C314D2E444C2D53532D525352502E53534200000542204C314D2E444C2D53532D53494E522E53534200000641C04C314D2E554C2D5352532D52535250000007010101010001031600436F6E646974696F6E2D62617365642C2055452D6C6576656C204532204E6F6465204D6561737572656D656E740103000844604452422E526C635364755472616E736D6974746564566F6C756D65444C5F46696C74657280010044604452422E526C635364755472616E736D6974746564566F6C756D65554C5F46696C74657200000043604452422E50657244617461566F6C756D65444C446973742E42696E2000000143404452422E50657244617461566F6C756D65554C446973742E42696E00000243404452422E526C635061636B657444726F7052617465444C4469737400000342E04452422E5061636B65744C6F737352617465554C4469737400000442204C314D2E444C2D53532D525352502E53534200000542204C314D2E444C2D53532D53494E522E53534200000641C04C314D2E554C2D5352532D52535250000007010101020001041580436F6D6D6F6E20436F6E646974696F6E2D62617365642C2055452D6C6576656C204D6561737572656D656E740104000844604452422E526C635364755472616E736D6974746564566F6C756D65444C5F46696C74657280010044604452422E526C635364755472616E736D6974746564566F6C756D65554C5F46696C74657200000043604452422E50657244617461566F6C756D65444C446973742E42696E2000000143404452422E50657244617461566F6C756D65554C446973742E42696E00000243404452422E526C635061636B657444726F7052617465444C4469737400000342E04452422E5061636B65744C6F737352617465554C4469737400000442204C314D2E444C2D53532D525352502E53534200000542204C314D2E444C2D53532D53494E522E53534200000641C04C314D2E554C2D5352532D525352500000070101010300010511804532204E6F6465204D6561737572656D656E7420666F72206D756C7469706C65205545730105000844604452422E526C635364755472616E736D6974746564566F6C756D65444C5F46696C74657280010044604452422E526C635364755472616E736D6974746564566F6C756D65554C5F46696C74657200000043604452422E50657244617461566F6C756D65444C446973742E42696E2000000143404452422E50657244617461566F6C756D65554C446973742E42696E00000243404452422E526C635061636B657444726F7052617465444C4469737400000342E04452422E5061636B65744C6F737352617465554C4469737400000442204C314D2E444C2D53532D525352502E53534200000542204C314D2E444C2D53532D53494E522E53534200000641C04C314D2E554C2D5352532D5253525000000701010103\" ran_function_revision:2 ran_function_oid:\"OID123\"} gnb_type:GNB node_configs:{e2nodeComponentInterfaceTypeNG:{amf_name:\"nginterf\"} e2nodeComponentRequestPart:\"72657170617274\" e2nodeComponentResponsePart:\"72657370617274\"}} associated_e2t_instance_address:\"10.100.132.25:38000\" setup_from_network:true status_update_time_stamp:1706066367175222850 gnb_node_type:\"gNB\""}panic: runtime error: index out of range [0] with length 0
goroutine 116 [running]:e2mgr/models.NewE2nodeConfigurationUpdateSuccessResponseMessage(0xc00027a410, 0x0) /opt/E2Manager/models/e2_node_configuration_update_ack.go:279 +0x945e2mgr/handlers/rmrmsghandlers.(*E2nodeConfigUpdateNotificationHandler).handleSuccessfulResponse(0xc0003361c0, 0xc00027a410, 0xc000504000, 0xc00019aa80, 0x0, 0x0) /opt/E2Manager/handlers/rmrmsghandlers/e2_node_config_update_notification_handler.go:208 +0x45e2mgr/handlers/rmrmsghandlers.(*E2nodeConfigUpdateNotificationHandler).Handle(0xc0003361c0, 0xc000504000) /opt/E2Manager/handlers/rmrmsghandlers/e2_node_config_update_notification_handler.go:74 +0x377created by e2mgr/managers/notificationmanager.NotificationManager.HandleMessage /opt/E2Manager/managers/notificationmanager/notification_manager.go:53 +0x2db
Here, in /E2Manager/models/e2_node_configuration_update_ack.go, the function NewE2nodeConfigurationUpdateSuccessResponseMessage uses E2nodeConfigurationUpdateIEs without checking its size.
func NewE2nodeConfigurationUpdateSuccessResponseMessage(e2nodeConfigupdateMessage *E2nodeConfigurationUpdateMessage) *E2nodeConfigurationUpdateAcknowledgeE2APPDU {
// ...
txIEs := E2nodeConfigurationUpdateAcknowledgeIEs{
ID: ProtocolIE_ID_id_TransactionID,
Value: E2nodeConfigurationUpdateAcknowledgeTransID{
TransactionID: e2nodeConfigupdateMessage.E2APPDU.InitiatingMessage.Value.E2nodeConfigurationUpdate.ProtocolIEs.E2nodeConfigurationUpdateIEs[0].Value.TransactionID, // vulnerable line
},
}
// ...
}
Please let me know if any additional information is needed. Thanks for your help!
| # | Subject | Branch | Project | Status | CR | V |
|---|---|---|---|---|---|---|
| 12629,1 | RIC-1044: Add array size checks | master | ric-plt/e2mgr | Status: NEW | 0 | +1 |
