Light

ervinsk / gtp-rs Goto Github PK

View Code? Open in Web Editor NEW

14.0 1.0 1.0 1.59 MB

Pure Rust implementation of 3GPP GTP (GPRS Tunneling Protocol) - GTPv1 and GTPv2

Rust 100.00%

gprs gtp gtpc gtpu lte 3gpp epc gtpv2 rust protocol

gtp-rs's Introduction

GTP-rs

GTP-rs is pure Rust implementation to easily handle 3GPP GTP (GPRS Tunneling Protocol) protocol:

GTPv1-C (3GPP TS 29.060 V15.5.0 (2019-06))
GTPv2-C (3GPP TS 29.274 V17.10.0 (2023-12))
GTPv1-U (3GPP TS 29.281 V16.0.0 (2019-12))

Disclaimer

It is still an experimental project with many items WIP.

Use it at your own risk!

Status

Full implementation of GTPv2-C IEs and Messages (except MBMS related)
Full implementation of GTPv1-U (Zero-Copy)
Incomplete and outdated implementation of GTPv1-C - both IEs and Messages (it works but not so polished as GTPv2 implementation)

Things To Do

Add examples
Work on documentation
Bug-fixing
Optimization

Author(s)

Ervins Kampans Github

LICENSE

MIT

gtp-rs's People

Stargazers

Watchers

gtp-rs's Issues

Panic (addition overflow) when trying to unmarshalling ErrorIndication GTPU message

We (@FuzzingLabs) found an overflow in gtp-rs making the library to crash:

thread 'main' panicked at 'attempt to add with overflow', /home/fuzzinglabs/gtp-rs/src/gtpv1/utils.rs:163:5

Your Environment

rustc 1.71.1 (eb26296b5 2023-08-03)
Ubuntu 20.04

Steps to reproduce

Download:

git clone [email protected]:ErvinsK/gtp-rs.git

Testing program:

main.rs:

use ::gtp_rs::gtpv1::gtpu::*;

fn main() {
    let mut buffer: Vec<u8> = vec![];
    let mut message = ErrorIndication::default();

    message.teid_data = Teid {
        t: 255,
        teid: 4294967295,
    };

    message.marshal(&mut buffer);
    let _result = ErrorIndication::unmarshal(&buffer);
}

Cargo.toml:

[package]
name = "gtp_rs_overflow"
version = "0.1.0"
edition = "2021"

[dependencies]
gtp-rs = { path = "gtp-rs" }

Build and run:

cargo build
cargo run

Root cause

gtp-rs/src/gtpv1/utils.rs

Line 163 in 313f7af

(length + 3) as usize <= buffer.len()

Detailed behavior (RUST_BACKTRACE=1)

thread 'main' panicked at 'attempt to add with overflow', /home/fuzzinglabs/gtp-rs/src/gtpv1/utils.rs:163:5
stack backtrace:
   0: rust_begin_unwind
             at /rustc/eb26296b556cef10fb713a38f3d16b9886080f26/library/std/src/panicking.rs:593:5
   1: core::panicking::panic_fmt
             at /rustc/eb26296b556cef10fb713a38f3d16b9886080f26/library/core/src/panicking.rs:67:14
   2: core::panicking::panic
             at /rustc/eb26296b556cef10fb713a38f3d16b9886080f26/library/core/src/panicking.rs:117:5
   3: gtp_rs::gtpv1::utils::check_tlv_ie_buffer
             at /home/fuzzinglabs/gtp-rs/src/gtpv1/utils.rs:163:5
   4: <gtp_rs::gtpv1::gtpu::messages::ies::privateextension::PrivateExtension as gtp_rs::gtpv1::gtpu::messages::ies::commons::IEs>::unmarshal
             at /home/fuzzinglabs/gtp-rs/src/gtpv1/gtpu/messages/ies/privateextension.rs:47:16
   5: <gtp_rs::gtpv1::gtpu::messages::errorindication::ErrorIndication as gtp_rs::gtpv1::gtpu::messages::commons::Messages>::unmarshal
             at /home/fuzzinglabs/gtp-rs/src/gtpv1/gtpu/messages/errorindication.rs:102:52
   6: gtp_rs_fuzzing::main
             at ./src/main.rs:13:19
   7: core::ops::function::FnOnce::call_once
             at /rustc/eb26296b556cef10fb713a38f3d16b9886080f26/library/core/src/ops/function.rs:250:5
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.

Infinite loop finded in gtvp1::gtpu when unmarshalling with an UDPPort length at zero.

Hello ! I found an infinite loop in your library. Here is some information on how to reproduce it :

versions

Debian GNU/Linux 11 (bullseye)
table-x86_64-unknown-linux-gnu unchanged - rustc 1.72.0 (5680fa18f 2023-08-23)

To reproduce :

we clone the repository :
git clone https://github.com/ErvinsK/gtp-rs.git
we add this main.rs to gtp-rs/src :

use ::gtp_rs::gtpv1::gtpu::*;

fn main() {

    // we create the extension_header
    let mut ext_header = UDPPort::default();
    ext_header.length = 0; // <-- the infinite loop is probably due to the length being 0
     
    // we add it to the header
    let mut header = Gtpv1Header::default();
    header.extension_headers = Some(vec![ExtensionHeader::UDPPort(ext_header)]);
 
    let mut array:Vec<u8> = vec![];
    header.marshal(&mut array);
    let _ = Gtpv1Header::unmarshal(&array); // <-- the infinite-loop happen when we try to unmarshal
    
}

we build and run :
cargo build && cargo run

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.