vlr_ciph_result: fix use after free of imeisv

Define the struct vlr_ciph_result member .imeisv not as a char* but a char[] of appropriate length, to avoid the need to point to external memory. Thus fix a use-after-free in msc_cipher_mode_compl(), which defined the imeisv[] buffer in a sub-scope within that function, so that the .imeisv pointer was already invalid when fed to vlr_subscr_rx_ciph_res(). Did you notice that the commit summary rhymes? Closes: OS#3053 Change-Id: I90cfb952a7dec6d104200872164ebadb25d0260d
author: Neels Hofmeyr <neels@hofmeyr.de> 2018-03-13 01:22:01 +0100
committer: Neels Hofmeyr <neels@hofmeyr.de> 2018-03-13 01:29:04 +0100
commit: fa10eda6d70a4ecb37b6dfe629e665a16f8d3f59 (patch)
tree: 8bc2188d25bf2093f2b158e15b264c39bb3cdc3b /include/osmocom/msc/vlr.h
parent: 620ba9369d63c25774975ea0a903b78929e6420c (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/include/osmocom/msc/vlr.h b/include/osmocom/msc/vlr.h
index c4b8cf60c..37702a9ee 100644
--- a/include/osmocom/msc/vlr.h
+++ b/include/osmocom/msc/vlr.h
@@ -74,7 +74,7 @@ enum vlr_ciph_result_cause {
 
 struct vlr_ciph_result {
 	enum vlr_ciph_result_cause cause;
-	const char *imeisv;
+	char imeisv[GSM48_MI_SIZE];
 };
 
 enum vlr_subscr_security_context {
author	Neels Hofmeyr <neels@hofmeyr.de>	2018-03-13 01:22:01 +0100
committer	Neels Hofmeyr <neels@hofmeyr.de>	2018-03-13 01:29:04 +0100
commit	fa10eda6d70a4ecb37b6dfe629e665a16f8d3f59 (patch)
tree	8bc2188d25bf2093f2b158e15b264c39bb3cdc3b /include/osmocom/msc/vlr.h
parent	620ba9369d63c25774975ea0a903b78929e6420c (diff)