-
Bug
-
Resolution: Unresolved
-
Medium
-
None
Hello, during testing of the kpimon-go xApp, I found that an array index out of bounds panic can occur within the handleIndication function. Specifically, when creating the unsafe.Pointer to indicationMsg.IndHeader and indicationMsg.IndMessage, it tries to access the first element without validating the length.
func (c *Control) handleIndication(params *xapp.RMRParams) (err error) { var e2ap *E2ap //var e2sm *E2sm indicationMsg, err := e2ap.GetIndicationMessage(params.Payload) if err != nil { xapp.Logger.Error("Failed to decode RIC Indication message: %v", err) return } ... cptr1 := unsafe.Pointer(&indicationMsg.IndHeader[0]) decodedHdr := C.e2sm_decode_ric_indication_header(cptr1, C.size_t(len(indicationMsg.IndHeader))) if decodedHdr == nil { return errors.New("e2sm wrapper is unable to get IndicationHeader due to wrong or invalid input") } ... cptr2 := unsafe.Pointer(&indicationMsg.IndMessage[0]) indicationmessage := C.e2sm_decode_ric_indication_message(cptr2, C.size_t(len(indicationMsg.IndMessage))) if indicationmessage == nil { return errors.New("e2sm wrapper is unable to get IndicationMessage due to wrong or invalid input") } ... }
The error logs are as follows:
{"ts":1707244786995,"crit":"INFO","id":"sonar.exe","mdc":{"CONTAINER_NAME":"","HOST_NAME":"","PID":"24","POD_NAME":"","SERVICE_NAME":"","SYSTEM_NAME":"","time":"2024-02-06T18:39:46"},"msg":"Message received: name=RIC_INDICATION meid=gnb_734_373_16b8cef1 subId=1 txid= 822772199972 len=238"} {"ts":1707244786995,"crit":"DEBUG","id":"sonar.exe","mdc":{"CONTAINER_NAME":"","HOST_NAME":"","PID":"24","POD_NAME":"","SERVICE_NAME":"","SYSTEM_NAME":"","time":"2024-02-06T18:39:46"},"msg":"Received message type: 12050"} 2024/02/06 18:39:46 RIC Indication message from {gnb_734_373_16b8cef1} receivedpanic: runtime error: index out of range [0] with length 0goroutine 338 [running]: example.com/kpimon/control.(*Control).handleIndication(0x12f1340?, 0xc000442f00) example.com/kpimon/control/control.go:694 +0xfe5 created by example.com/kpimon/control.(*Control).controlLoop /opt/control/control_loop.go:16 +0x1f1
{"ts":1706684350651,"crit":"INFO","id":"kpimon","mdc":{"CONTAINER_NAME":"","HOST_NAME":"","PID":"8","POD_NAME":"","SERVICE_NAME":"","SYSTEM_NAME":"","time":"2024-01-31T06:59:10"},"msg":"Message received: name=RIC_INDICATION meid=gnb_734_373_16b8cef1 subId=1 txid= 968741505085 len=238"} {"ts":1706684350651,"crit":"DEBUG","id":"kpimon","mdc":{"CONTAINER_NAME":"","HOST_NAME":"","PID":"8","POD_NAME":"","SERVICE_NAME":"","SYSTEM_NAME":"","time":"2024-01-31T06:59:10"},"msg":"Received message type: 12050"} 2024/01/31 06:59:10 RIC Indication message from {gnb_734_373_16b8cef1} receivedheader RC_WMORE 2024/01/31 06:59:10 Indication Header format = 1 panic: runtime error: index out of range [0] with length 0goroutine 132288 [running]: example.com/kpimon/control.(*Control).handleIndication(0x5d8a4a?, 0xc000196000) /opt/control/control.go:733 +0xdec created by example.com/kpimon/control.(*Control).controlLoop /opt/control/control_loop.go:15 +0xed
Adding the following checks before the affected lines fixed the problem:
if indicationMsg.IndHeader == nil || len(indicationMsg.IndHeader) == 0 || indicationMsg.IndMessage == nil || len(indicationMsg.IndMessage) == 0 { return errors.New("e2sm wrapper is unable to get IndicationHeader or IndicationMessage due to wrong or invalid input") }
Please let me know if you have any questions. Thanks!