-
Bug
-
Resolution: Unresolved
-
Medium
-
None
Hello, I discovered that in the kpimon-go application, there is a critical issue where negative return values from encoding functions are not properly handled, which can lead to the allocation of arrays with negative sizes. This behavior occurs in the encode_action_Definition function in e2sm/wrapper.c and can cause unexpected behaviors including the application to crash.
Specifically, the function encode_action_Definition attempts to encode data and then uses the returned length to allocate arrays. Specifically, on lines 241, 264, 275, and 286, the application calls encoding functions such as e2sm_encode_ric_action_definition_format3_by_name and e2sm_encode_ric_action_definition_format1_by_name. These functions can return a negative value (-1) indicating an encoding error. However, the return value is directly used for array allocation without validation to ensure it is non-negative:
struct encode_act_Def_result encode_action_Definition(const char *hex_values, int determine){ // ... int encodedLengthFormat3ByName = e2sm_encode_ric_action_definition_format3_by_name(&bufFormat3[0], &buf_sizeFormat3, name_format3, sz3, ricStyleTypeFormat3, granulPeriod); printf("length of buff= %ld \n",strlen(bufFormat3)); printf("size of buff= %ld \n",sizeof(bufFormat3)); printf("declared size of buff= %ld \n",BUFFER_SIZE); printf("encoded length of buff= %ld \n",encodedLengthFormat3ByName); int arrayFormat3ByName[encodedLengthFormat3ByName]; for(int i=0;i<encodedLengthFormat3ByName;i++){ //printf("%d ",(int)bufFormat3[i]); arrayFormat3ByName[i]=(int)bufFormat3[i]; } unsigned char bufFormat1[BUFFER_SIZE]; size_t buf_sizeFormat1 = BUFFER_SIZE; long ricStyleTypeFormat1 = 1; //unsigned long granulPeriod = 10000; //get plmn id during run time of kpimon unsigned char p[] = {0x00, 0x1F, 0x01}; //get nr cell id for 5g cell or eutra cell id for 4g cell unsigned char nR []= {0x12, 0x34, 0x56, 0x00, 0x10}; int encodedLengthFormat1ByName = e2sm_encode_ric_action_definition_format1_by_name(&bufFormat1[0], &buf_sizeFormat1, name_format1, sz1, ricStyleTypeFormat1, granulPeriod, p, nR); printf("\n\n\n"); int arrayFormat1ByName[encodedLengthFormat1ByName]; for(int i=0;i<encodedLengthFormat1ByName;i++){ //printf("%d ",(int)bufFormat1[i]); arrayFormat1ByName[i]=(int)bufFormat1[i]; } unsigned char bufFormat1ById[BUFFER_SIZE]; size_t buf_sizeFormat1ById = BUFFER_SIZE; int encodedLengthFormat1ById = e2sm_encode_ric_action_definition_format1_by_id(&bufFormat1ById[0], &buf_sizeFormat1ById, id_format1, sz1, ricStyleTypeFormat1, granulPeriod, p, nR); printf("\n\n\n"); int arrayFormat1ById[encodedLengthFormat1ById]; for(int i=0;i<encodedLengthFormat1ById;i++){ //printf("%d ",(int)bufFormat1ById[i]); arrayFormat1ById[i]=(int)bufFormat1ById[i]; } unsigned char bufFormat3ById[BUFFER_SIZE]; size_t buf_sizeFormat3ById = BUFFER_SIZE; int encodedLengthFormat3ById = e2sm_encode_ric_action_definition_format3_by_id(&bufFormat3ById[0], &buf_sizeFormat3ById, id_format3, sz3, ricStyleTypeFormat3, granulPeriod); printf("\n\n\n"); int arrayFormat3ById[encodedLengthFormat3ById]; for(int i=0;i<encodedLengthFormat3ById;i++){ //printf("%d ",(int)bufFormat3ById[i]); arrayFormat3ById[i]=(int)bufFormat3ById[i]; } // ... }
Using the negative return value in array allocation can lead to unpredictable behavior and potentially crash the xApp. An example log demonstrating the issue is attached.