From 45a8d4b2be056965f6101d4913a5c5d3273cf28f Mon Sep 17 00:00:00 2001
From: Vadim Yanitskiy <axilirator@gmail.com>
Date: Mon, 1 Apr 2019 06:25:45 +0700
Subject: common/oml.c: fix: properly push abis_nm_ipa_magic

In oml_send_msg() we optionally push the A-bis IPA magic string
("com.ipaccess") to a given message buffer as LV (Length Value),
including the terminating null byte ('\0').

There was a mix of both sizeof() and strlen() calls, and worse
luck, memcpy() has been used in a wrong way, skipping the '\0':

  memcpy(dest, src, strlen(src));

In general, this is not critical because the headroom of a given
message buffer would most likely be zero-initialized, so the '\0'
is already there. However, msgb_push() gives no such guarantee.

Let's use the libosmocore's TLV API (in particular, lv_put()),
and stick to sizeof(), so the null byte will always be included.

Change-Id: I0c7f8776d0caec40f9ed992db541f43b732e47ae
Closes: OS#3022
---
 src/common/oml.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/common/oml.c b/src/common/oml.c
index c96a893f..80d424f8 100644
--- a/src/common/oml.c
+++ b/src/common/oml.c
@@ -36,6 +36,7 @@
 #include <osmocom/core/msgb.h>
 #include <osmocom/gsm/protocol/gsm_12_21.h>
 #include <osmocom/gsm/abis_nm.h>
+#include <osmocom/gsm/tlv.h>
 #include <osmocom/abis/e1_input.h>
 #include <osmocom/abis/ipaccess.h>
 
@@ -94,9 +95,8 @@ int oml_send_msg(struct msgb *msg, int is_manuf)
 
 	if (is_manuf) {
 		/* length byte, string + 0 termination */
-		uint8_t *manuf = msgb_push(msg, 1 + sizeof(abis_nm_ipa_magic));
-		manuf[0] = strlen(abis_nm_ipa_magic)+1;
-		memcpy(manuf+1, abis_nm_ipa_magic, strlen(abis_nm_ipa_magic));
+		uint8_t *manuf = msgb_push(msg, LV_GROSS_LEN(sizeof(abis_nm_ipa_magic)));
+		lv_put(manuf, sizeof(abis_nm_ipa_magic), (const uint8_t *) abis_nm_ipa_magic);
 	}
 
 	/* Push the main OML header and send it off */
-- 
cgit v1.2.3