From 322b1499cd4d34b0148a15cb615ad6dff8203ed2 Mon Sep 17 00:00:00 2001
From: Jacob Erlbeck <jerlbeck@sysmocom.de>
Date: Tue, 7 Apr 2015 17:49:49 +0200
Subject: nitb: Check source string length before calling strncpy (Coverity)

Currently some VTY command do neither check the length of the source
string before calling strncpy nor ensure NUL-termination afterwards.
This can to destination string buffers whose contents are not
NUL-teminated.

This commit adds checks and corresponding warnings to the VTY
commands 'subscriber TYPE ID name .NAME" and "subscriber TYPE ID
extension EXTENSION".

Fixes: Coverity CID 1206570, 1206569
Sponsored-by: On-Waves ehf
---
 openbsc/src/libmsc/vty_interface_layer3.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

(limited to 'openbsc/src/libmsc')

diff --git a/openbsc/src/libmsc/vty_interface_layer3.c b/openbsc/src/libmsc/vty_interface_layer3.c
index 68d9c4498..558db5e61 100644
--- a/openbsc/src/libmsc/vty_interface_layer3.c
+++ b/openbsc/src/libmsc/vty_interface_layer3.c
@@ -548,6 +548,13 @@ DEFUN(ena_subscr_name,
 		return CMD_WARNING;
 	}
 
+	if (strlen(name) > sizeof(subscr->name)-1) {
+		vty_out(vty,
+			"%% NAME is too long, max. %d characters are allowed%s",
+			sizeof(subscr->name)-1, VTY_NEWLINE);
+		return CMD_WARNING;
+	}
+
 	strncpy(subscr->name, name, sizeof(subscr->name));
 	talloc_free(name);
 	db_sync_subscriber(subscr);
@@ -574,6 +581,13 @@ DEFUN(ena_subscr_extension,
 		return CMD_WARNING;
 	}
 
+	if (strlen(ext) > sizeof(subscr->extension)-1) {
+		vty_out(vty,
+			"%% EXTENSION is too long, max. %d characters are allowed%s",
+			sizeof(subscr->extension)-1, VTY_NEWLINE);
+		return CMD_WARNING;
+	}
+
 	strncpy(subscr->extension, ext, sizeof(subscr->extension));
 	db_sync_subscriber(subscr);
 
-- 
cgit v1.2.3