untested patch: gprs_cipher_run() invocation
diff mbox

Message ID 20160521145029.GC2134@dub6
State New
Headers show

Commit Message

Neels Hofmeyr May 21, 2016, 2:50 p.m. UTC
I have this patch, but am not sure how to test its validity. Looks sane though.
We were passing a uint64_t kc as uint8_t* to:

int gprs_cipher_run(uint8_t *out, uint16_t len, enum gprs_ciph_algo algo,
                    uint8_t *kc, uint32_t iv, enum gprs_cipher_direction dir);

so instead of passing kc's address, we would pass the kc *as* address.

See attached patch.
Any opinions and/or testers? Why would no-one have noticed this before?

Thanks!
~Neels

Patch
diff mbox

From 25f21d80ef40b1821097b421512bf0973e0125d7 Mon Sep 17 00:00:00 2001
From: Neels Hofmeyr <nhofmeyr@sysmocom.de>
Date: Mon, 9 May 2016 21:20:21 +0200
Subject: [PATCH] sgsn: fix use of libosmocore GPRS encryption plugins from LLC
 layer

Instead of passing the uint64_t kc bytes wrongly interpreted as memory address,
pass its actual kc bytes by casting via (uint8_t*)&kc.
---
 openbsc/src/gprs/gprs_llc.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/openbsc/src/gprs/gprs_llc.c b/openbsc/src/gprs/gprs_llc.c
index 4cf5163..e3c0726 100644
--- a/openbsc/src/gprs/gprs_llc.c
+++ b/openbsc/src/gprs/gprs_llc.c
@@ -417,7 +417,7 @@  int gprs_llc_tx_ui(struct msgb *msg, uint8_t sapi, int command,
 
 		/* Compute the keystream that we need to XOR with the data */
 		rc = gprs_cipher_run(cipher_out, crypt_len, lle->llme->algo,
-				     kc, iv, GPRS_CIPH_SGSN2MS);
+				     (uint8_t*)&kc, iv, GPRS_CIPH_SGSN2MS);
 		if (rc < 0) {
 			LOGP(DLLC, LOGL_ERROR, "Error crypting UI frame: %d\n", rc);
 			msgb_free(msg);
@@ -623,7 +623,7 @@  int gprs_llc_rcvmsg(struct msgb *msg, struct tlv_parsed *tv)
 		iv = gprs_cipher_gen_input_ui(iov_ui, lle->sapi, llhp.seq_tx,
 						lle->oc_ui_recv);
 		rc = gprs_cipher_run(cipher_out, crypt_len, lle->llme->algo,
-				     kc, iv, GPRS_CIPH_MS2SGSN);
+				     (uint8_t*)&kc, iv, GPRS_CIPH_MS2SGSN);
 		if (rc < 0) {
 			LOGP(DLLC, LOGL_ERROR, "Error decrypting frame: %d\n",
 			     rc);
-- 
2.1.4