From 7346081ba3d181a0386e6d7191131103494cfacb Mon Sep 17 00:00:00 2001 From: Holger Hans Peter Freyther Date: Fri, 5 Jul 2013 07:50:30 +0200 Subject: nat: number could point to an address on the stack that can be reused The number = int_number assignment will make the number point to the stack and as the int_number goes out of scope at the end of the if statement other code could re-use this stack for other memory. Fixes: Coverity CID 1042325 --- openbsc/src/osmo-bsc_nat/bsc_nat_rewrite.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openbsc/src/osmo-bsc_nat/bsc_nat_rewrite.c b/openbsc/src/osmo-bsc_nat/bsc_nat_rewrite.c index c9b6f4a91..06071c475 100644 --- a/openbsc/src/osmo-bsc_nat/bsc_nat_rewrite.c +++ b/openbsc/src/osmo-bsc_nat/bsc_nat_rewrite.c @@ -68,6 +68,7 @@ static char *match_and_rewrite_number(void *ctx, const char *number, static char *rewrite_isdn_number(struct bsc_nat *nat, void *ctx, const char *imsi, struct gsm_mncc_number *called) { + char int_number[sizeof(called->number) + 2]; char *number = called->number; if (llist_empty(&nat->num_rewr)) @@ -79,7 +80,6 @@ static char *rewrite_isdn_number(struct bsc_nat *nat, void *ctx, const char *ims /* international, prepend */ if (called->type == 1) { - char int_number[sizeof(called->number) + 2]; int_number[0] = '+'; memcpy(&int_number[1], number, strlen(number) + 1); number = int_number; -- cgit v1.2.3