srsRAN_4G icon indicating copy to clipboard operation
srsRAN_4G copied to clipboard

Published 20 hours ago verified publisher icon srsran

srsENB crash after receiving fuzzed RRCConnectionRequest message

Open IljaSir opened this issue 2 years ago • 0 comments

Issue Description

srsENB crash after receiving fuzzed RRCConnectionRequest message Cause: I am not sure what is the root cause of the crash. However, I managed to identify the place where it happens: it is happening in send_connection_setup() function. image

To be more exact, inside to_number() function, crash happens while trying to access memory via pointer. image

Setup Details

SRSRAN version used in my testing corresponds to the git commit: 5275f33360f1b3f1ee8d1c4d9ae951ac7c4ecd4e (tag: release_21_10). It was built with “-g -fsanitize=address” flags.

Expected Behavior

No crash

Actual Behaviour

Crash

Steps to reproduce the problem

To reproduce this issue we should send a modified RRC Connection request message. Before fuzzing: "41 A3 97 E5 A1 F8" After fuzzing: "61 A3 FF FF FF FF"

IljaSir avatar Mar 28 '23 13:03 IljaSir