[USSD] various USSD improvements

- Improved handling of extension-number string (as per review)
- Guard against a buffer-overflow if mobile sends a too-long USSD
- declare some function-parameters const
- fix gsm_ts_name function to display the right BTS number (bts->nr rather than bts->bts_nr)

5 files changed, 20 insertions, 14 deletions

diff --git a/openbsc/include/openbsc/gsm_04_80.h b/openbsc/include/openbsc/gsm_04_80.h
index 9bdf2c200..c240bbe94 100644
--- a/openbsc/include/openbsc/gsm_04_80.h
+++ b/openbsc/include/openbsc/gsm_04_80.h
@@ -125,17 +125,19 @@
 
 #include <openbsc/msgb.h>
 
+#define MAX_LEN_USSD_STRING	31
+
 struct ussd_request {
-			char text[32];
+			char text[MAX_LEN_USSD_STRING + 1];
 			u_int8_t transaction_id;
 			u_int8_t invoke_id;
 };
 
-int gsm0480_decode_ussd_request(struct msgb *msg, 
+int gsm0480_decode_ussd_request(const struct msgb *msg, 
 				struct ussd_request *request); 
-int gsm0480_send_ussd_response(struct msgb *in_msg, const char* response_text, 
+int gsm0480_send_ussd_response(const struct msgb *in_msg, const char* response_text, 
 						const struct ussd_request *req);
-int gsm0480_send_ussd_reject(struct msgb *msg, 
+int gsm0480_send_ussd_reject(const struct msgb *msg, 
 				const struct ussd_request *request);
 
 #endif
diff --git a/openbsc/include/openbsc/gsm_subscriber.h b/openbsc/include/openbsc/gsm_subscriber.h
index ea70c3aa2..d612ed566 100644
--- a/openbsc/include/openbsc/gsm_subscriber.h
+++ b/openbsc/include/openbsc/gsm_subscriber.h
@@ -8,13 +8,14 @@
 #define GSM_IMEI_LENGTH 17
 #define GSM_IMSI_LENGTH 17
 #define GSM_NAME_LENGTH 128
-#define GSM_EXTENSION_LENGTH 128
+
+#define GSM_EXTENSION_LENGTH 15 /* MSISDN can only be 15 digits length */
+#define GSM_MIN_EXTEN 20000
+#define GSM_MAX_EXTEN 49999
 
 /* reserved according to GSM 03.03 § 2.4 */
 #define GSM_RESERVED_TMSI   0xFFFFFFFF
 
-#define GSM_MIN_EXTEN 20000
-#define GSM_MAX_EXTEN 49999
 
 #define GSM_SUBSCRIBER_FIRST_CONTACT	0x00000001
 #define tmsi_from_string(str) strtoul(str, NULL, 10)
diff --git a/openbsc/src/gsm_04_80.c b/openbsc/src/gsm_04_80.c
index 5d85c8221..7f5089de1 100644
--- a/openbsc/src/gsm_04_80.c
+++ b/openbsc/src/gsm_04_80.c
@@ -70,7 +70,7 @@ static inline unsigned char *msgb_push_TLV1(struct msgb *msgb, u_int8_t tag,
 
 
 /* Decode a mobile-originated USSD-request message */
-int gsm0480_decode_ussd_request(struct msgb *msg, struct ussd_request *req)
+int gsm0480_decode_ussd_request(const struct msgb *msg, struct ussd_request *req)
 {
 	int rc = 0;
 	u_int8_t *parse_ptr = msgb_l3(msg);
@@ -230,6 +230,9 @@ static int parse_process_uss_req(u_int8_t *uss_req_data, u_int8_t length,
 			if ((dcs == 0x0F) &&
 			    (uss_req_data[5] == ASN1_OCTET_STRING_TAG)) {
 				num_chars = (uss_req_data[6] * 8) / 7;
+				/* Prevent a mobile-originated buffer-overrun! */
+				if (num_chars > MAX_LEN_USSD_STRING)
+					num_chars = MAX_LEN_USSD_STRING;
 				gsm_7bit_decode(req->text,
 						&(uss_req_data[7]), num_chars);
 				/* append null-terminator */
@@ -242,7 +245,7 @@ static int parse_process_uss_req(u_int8_t *uss_req_data, u_int8_t length,
 }
 
 /* Send response to a mobile-originated ProcessUnstructuredSS-Request */
-int gsm0480_send_ussd_response(struct msgb *in_msg, const char* response_text, 
+int gsm0480_send_ussd_response(const struct msgb *in_msg, const char* response_text, 
 						const struct ussd_request *req)
 {
 	struct msgb *msg = gsm48_msgb_alloc();
@@ -295,7 +298,7 @@ int gsm0480_send_ussd_response(struct msgb *in_msg, const char* response_text,
 	return gsm48_sendmsg(msg, NULL);
 }
 
-int gsm0480_send_ussd_reject(struct msgb *in_msg, 
+int gsm0480_send_ussd_reject(const struct msgb *in_msg, 
 				const struct ussd_request *req)
 {
 	struct msgb *msg = gsm48_msgb_alloc();
diff --git a/openbsc/src/gsm_data.c b/openbsc/src/gsm_data.c
index 34642900b..60205be13 100644
--- a/openbsc/src/gsm_data.c
+++ b/openbsc/src/gsm_data.c
@@ -232,7 +232,7 @@ static char ts2str[255];
 char *gsm_ts_name(struct gsm_bts_trx_ts *ts)
 {
 	snprintf(ts2str, sizeof(ts2str), "(bts=%d,trx=%d,ts=%d)",
-		 ts->trx->bts->bts_nr, ts->trx->nr, ts->nr);
+		 ts->trx->bts->nr, ts->trx->nr, ts->nr);
 
 	return ts2str;
 }
diff --git a/openbsc/src/ussd.c b/openbsc/src/ussd.c
index e414b1cea..a3d11f080 100644
--- a/openbsc/src/ussd.c
+++ b/openbsc/src/ussd.c
@@ -63,9 +63,9 @@ int handle_rcv_ussd(struct msgb *msg)
 static int send_own_number(const struct msgb *msg, const struct ussd_request *req)
 {
 	char *own_number = msg->lchan->subscr->extension;
-	/* Need trailing CR as EOT character */
-	char response_string[] = "Your extension is xxxxx\r";
+	char response_string[GSM_EXTENSION_LENGTH + 20];
 
-	memcpy(response_string + 18, own_number, 5);
+	/* Need trailing CR as EOT character */
+	snprintf(response_string, sizeof(response_string), "Your extension is %s\r", own_number);
 	return gsm0480_send_ussd_response(msg, response_string, req);
 }