diff options
author | Jacob Erlbeck <jerlbeck@sysmocom.de> | 2015-01-26 10:38:12 +0100 |
---|---|---|
committer | Jacob Erlbeck <jerlbeck@sysmocom.de> | 2015-01-26 10:59:49 +0100 |
commit | 496aee7cb809069133fe37f39ccac7607ec6c9b3 (patch) | |
tree | 0dd9e72bfc4673d494e419cad7e21b64745f58c2 /openbsc/src/gprs | |
parent | 37139e5933337e3e24f4bd83955c3492123e9ed0 (diff) |
sgsn: Ensure 0-terminated imsi strings (Coverity)
Currently the size argument of strncpy is set to sizeof(mm->imsi) in
some places. If the source IMSI string is too long, the terminating
NUL byte in the static mm->imsi field gets overwritten.
This patch limits the size to sizeof(mm->imsi)-1, so that the last
byte of the buffer (that has been initialized to 0) is not
overwritten.
Fixes: Coverity CID 12065751, 12065754, 1206575
Sponsored-by: On-Waves ehf
Diffstat (limited to 'openbsc/src/gprs')
-rw-r--r-- | openbsc/src/gprs/gprs_gmm.c | 6 | ||||
-rw-r--r-- | openbsc/src/gprs/sgsn_auth.c | 2 |
2 files changed, 4 insertions, 4 deletions
diff --git a/openbsc/src/gprs/gprs_gmm.c b/openbsc/src/gprs/gprs_gmm.c index 1e1372cd1..03773a61a 100644 --- a/openbsc/src/gprs/gprs_gmm.c +++ b/openbsc/src/gprs/gprs_gmm.c @@ -765,10 +765,10 @@ static int gsm48_rx_gmm_id_resp(struct sgsn_mm_ctx *ctx, struct msgb *msg) mm_ctx_cleanup_free(ictx, "GPRS IMSI re-use"); } } - strncpy(ctx->imsi, mi_string, sizeof(ctx->imsi)); + strncpy(ctx->imsi, mi_string, sizeof(ctx->imsi) - 1); break; case GSM_MI_TYPE_IMEI: - strncpy(ctx->imei, mi_string, sizeof(ctx->imei)); + strncpy(ctx->imei, mi_string, sizeof(ctx->imei) - 1); break; case GSM_MI_TYPE_IMEISV: break; @@ -856,7 +856,7 @@ static int gsm48_rx_gmm_att_req(struct sgsn_mm_ctx *ctx, struct msgb *msg, reject_cause = GMM_CAUSE_NET_FAIL; goto rejected; } - strncpy(ctx->imsi, mi_string, sizeof(ctx->imsi)); + strncpy(ctx->imsi, mi_string, sizeof(ctx->imsi) - 1); #endif } ctx->tlli = msgb_tlli(msg); diff --git a/openbsc/src/gprs/sgsn_auth.c b/openbsc/src/gprs/sgsn_auth.c index d77a02194..b83294d30 100644 --- a/openbsc/src/gprs/sgsn_auth.c +++ b/openbsc/src/gprs/sgsn_auth.c @@ -61,7 +61,7 @@ int sgsn_acl_add(const char *imsi, struct sgsn_config *cfg) acl = talloc_zero(NULL, struct imsi_acl_entry); if (!acl) return -ENOMEM; - strncpy(acl->imsi, imsi, sizeof(acl->imsi)); + strncpy(acl->imsi, imsi, sizeof(acl->imsi) - 1); llist_add(&acl->list, &cfg->imsi_acl); |