From patchwork Sat May 21 14:50:29 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: untested patch: gprs_cipher_run() invocation From: Neels Hofmeyr X-Patchwork-Id: 72051 Message-Id: <20160521145029.GC2134@dub6> To: openbsc@lists.osmocom.org Date: Sat, 21 May 2016 16:50:29 +0200 I have this patch, but am not sure how to test its validity. Looks sane though. We were passing a uint64_t kc as uint8_t* to: int gprs_cipher_run(uint8_t *out, uint16_t len, enum gprs_ciph_algo algo, uint8_t *kc, uint32_t iv, enum gprs_cipher_direction dir); so instead of passing kc's address, we would pass the kc *as* address. See attached patch. Any opinions and/or testers? Why would no-one have noticed this before? Thanks! ~Neels From 25f21d80ef40b1821097b421512bf0973e0125d7 Mon Sep 17 00:00:00 2001 From: Neels Hofmeyr Date: Mon, 9 May 2016 21:20:21 +0200 Subject: [PATCH] sgsn: fix use of libosmocore GPRS encryption plugins from LLC layer Instead of passing the uint64_t kc bytes wrongly interpreted as memory address, pass its actual kc bytes by casting via (uint8_t*)&kc. --- openbsc/src/gprs/gprs_llc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openbsc/src/gprs/gprs_llc.c b/openbsc/src/gprs/gprs_llc.c index 4cf5163..e3c0726 100644 --- a/openbsc/src/gprs/gprs_llc.c +++ b/openbsc/src/gprs/gprs_llc.c @@ -417,7 +417,7 @@ int gprs_llc_tx_ui(struct msgb *msg, uint8_t sapi, int command, /* Compute the keystream that we need to XOR with the data */ rc = gprs_cipher_run(cipher_out, crypt_len, lle->llme->algo, - kc, iv, GPRS_CIPH_SGSN2MS); + (uint8_t*)&kc, iv, GPRS_CIPH_SGSN2MS); if (rc < 0) { LOGP(DLLC, LOGL_ERROR, "Error crypting UI frame: %d\n", rc); msgb_free(msg); @@ -623,7 +623,7 @@ int gprs_llc_rcvmsg(struct msgb *msg, struct tlv_parsed *tv) iv = gprs_cipher_gen_input_ui(iov_ui, lle->sapi, llhp.seq_tx, lle->oc_ui_recv); rc = gprs_cipher_run(cipher_out, crypt_len, lle->llme->algo, - kc, iv, GPRS_CIPH_MS2SGSN); + (uint8_t*)&kc, iv, GPRS_CIPH_MS2SGSN); if (rc < 0) { LOGP(DLLC, LOGL_ERROR, "Error decrypting frame: %d\n", rc); -- 2.1.4