nitb: Fix IMSI/IMEI buffer handling (Coverity)

Currently the handling of the buffers is not done consistently. Some
code assumes that the whole buffer may be used to store the string
while at other places, the last buffer byte is left untouched in the
assumption that it contains a terminating NUL-character. The latter
is the correct behaviour.

This commit changes to code to not touch the last byte in the buffers
and to rely on the last byte being NUL. So the maximum IMSI/IMEI
length is GSM_IMSI_LENGTH-1/GSM_IMEI_LENGTH-1.

For information: We assume that we allocate the structure with
talloc_zero. This means we have NULed the entire imsi array and then
only write sizeof - 1 characters to it. So the last byte remains NUL.

Fixes: Coverity CID 1206568, 1206567
Sponsored-by: On-Waves ehf

1 files changed, 1 insertions, 1 deletions

diff --git a/openbsc/src/osmo-bsc_nat/bsc_ussd.c b/openbsc/src/osmo-bsc_nat/bsc_ussd.c
index ac5a9f5c5..67844b812 100644
--- a/openbsc/src/osmo-bsc_nat/bsc_ussd.c
+++ b/openbsc/src/osmo-bsc_nat/bsc_ussd.c
@@ -399,7 +399,7 @@ int bsc_ussd_check(struct nat_sccp_connection *con, struct bsc_nat_parsed *parse
 	if (parsed->bssap != BSSAP_MSG_DTAP)
 		return 0;
 
-	if (strlen(con->imsi) > GSM_IMSI_LENGTH)
+	if (strlen(con->imsi) >= GSM_IMSI_LENGTH)
 		return 0;
 
 	hdr48 = bsc_unpack_dtap(parsed, msg, &len);