diff options
author | Philipp Maier <pmaier@sysmocom.de> | 2020-09-18 18:01:32 +0200 |
---|---|---|
committer | Philipp Maier <pmaier@sysmocom.de> | 2020-09-18 18:08:39 +0200 |
commit | 8c472bd111ed9592f2513d08990a78b70bccb44e (patch) | |
tree | cbba5e8da80624b56886d66b97a347f22fc16b10 | |
parent | d4099c31c92f8ead0a6ad4ca53243b52ec4d299a (diff) |
mncc_call: fix memory overrun
The struct gsm_mncc which is created and populated in mncc_call_tx_setup_ind
casted to a union mncc_msg* pointer. This leads to a memory overrun
in mncc_call_tx because the union mncc_msg is larger then the gsm_mncc struct.
To fix this, lets just declare a union mncc_msg and populate the signal
member inside it. This can be handed over to mncc_call_tx. The data in
it will look the same, except that the memory will have the proper
lenght (longer).
Change-Id: Ifff28b3375d6bd5e4f837f25c46736952f7bfa9b
Fixes: CID 214330
-rw-r--r-- | src/libmsc/mncc_call.c | 17 |
1 files changed, 9 insertions, 8 deletions
diff --git a/src/libmsc/mncc_call.c b/src/libmsc/mncc_call.c index 9d52952a3..131620d1e 100644 --- a/src/libmsc/mncc_call.c +++ b/src/libmsc/mncc_call.c @@ -208,24 +208,25 @@ void mncc_call_detach_rtp_stream(struct mncc_call *mncc_call) static void mncc_call_tx_setup_ind(struct mncc_call *mncc_call) { - struct gsm_mncc mncc_msg = mncc_call->outgoing_req; - mncc_msg.msg_type = MNCC_SETUP_IND; - mncc_msg.callref = mncc_call->callref; + union mncc_msg mncc_msg; + mncc_msg.signal = mncc_call->outgoing_req; + mncc_msg.signal.msg_type = MNCC_SETUP_IND; + mncc_msg.signal.callref = mncc_call->callref; - OSMO_STRLCPY_ARRAY(mncc_msg.imsi, mncc_call->vsub->imsi); + OSMO_STRLCPY_ARRAY(mncc_msg.signal.imsi, mncc_call->vsub->imsi); if (!(mncc_call->outgoing_req.fields & MNCC_F_CALLING)) { /* No explicit calling number set, use the local subscriber */ - mncc_msg.fields |= MNCC_F_CALLING; - OSMO_STRLCPY_ARRAY(mncc_msg.calling.number, mncc_call->vsub->msisdn); + mncc_msg.signal.fields |= MNCC_F_CALLING; + OSMO_STRLCPY_ARRAY(mncc_msg.signal.calling.number, mncc_call->vsub->msisdn); } mncc_call->local_msisdn_present = true; - mncc_call->local_msisdn = mncc_msg.calling; + mncc_call->local_msisdn = mncc_msg.signal.calling; rate_ctr_inc(&gsmnet->msc_ctrs->ctr[MSC_CTR_CALL_MO_SETUP]); - mncc_call_tx(mncc_call, (union mncc_msg*)&mncc_msg); + mncc_call_tx(mncc_call, &mncc_msg); } static void mncc_call_rx_setup_req(struct mncc_call *mncc_call, const struct gsm_mncc *incoming_req) |