aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJacob Erlbeck <jerlbeck@sysmocom.de>2014-10-28 14:57:53 +0100
committerJacob Erlbeck <jerlbeck@sysmocom.de>2014-10-28 15:17:02 +0100
commit76606d3473b61963a4d87bdad9f002e6191b9ece (patch)
tree615e2ff4e5cfb4093772f86e24ab893923e4a4d0
parent5a38f6470e74b0d7d7746fa65573f2acf76197eb (diff)
nitb/ctrl: Fix access to freed memory in verify_subscriber_modify
Currently the temporary string 'tmp' is freed before parts of it are referenced. This lets address sanitizer complain when evaluating strlen(imsi), where imsi points into the 'tmp' data block. This patch moves the talloc_free to the end of the function and uses a rc variable instead of using early returns. Addresses: testSubscriberAddRemove (__main__.TestCtrlNITB) ... Launch: ./src/osmo-nitb/osmo-nitb -c ./doc/examples/osmo-nitb/nanobts/openbsc.cfg -l test_hlr.sqlite3 Connecting to host 127.0.0.1:4249 Sending "SET 1000 subscriber-modify-v1 2620345,445566" Decoded replies: {} ERROR Sponsored-by: On-Waves ehf
-rw-r--r--openbsc/src/libmsc/ctrl_commands.c16
1 files changed, 9 insertions, 7 deletions
diff --git a/openbsc/src/libmsc/ctrl_commands.c b/openbsc/src/libmsc/ctrl_commands.c
index df85c8e88..702a7ae21 100644
--- a/openbsc/src/libmsc/ctrl_commands.c
+++ b/openbsc/src/libmsc/ctrl_commands.c
@@ -27,6 +27,7 @@
static int verify_subscriber_modify(struct ctrl_cmd *cmd, const char *value, void *d)
{
char *tmp, *imsi, *msisdn, *saveptr = NULL;
+ int rc = 0;
tmp = talloc_strdup(cmd, value);
if (!tmp)
@@ -34,15 +35,16 @@ static int verify_subscriber_modify(struct ctrl_cmd *cmd, const char *value, voi
imsi = strtok_r(tmp, ",", &saveptr);
msisdn = strtok_r(NULL, ",", &saveptr);
- talloc_free(tmp);
if (!imsi || !msisdn)
- return 1;
- if (strlen(imsi) >= GSM_IMSI_LENGTH)
- return 1;
- if (strlen(msisdn) >= GSM_EXTENSION_LENGTH)
- return 1;
- return 0;
+ rc = 1;
+ else if (strlen(imsi) >= GSM_IMSI_LENGTH)
+ rc = 1;
+ else if (strlen(msisdn) >= GSM_EXTENSION_LENGTH)
+ rc = 1;
+
+ talloc_free(tmp);
+ return rc;
}
static int get_subscriber_modify(struct ctrl_cmd *cmd, void *data)