diff options
author | Neels Hofmeyr <neels@hofmeyr.de> | 2018-03-13 01:22:01 +0100 |
---|---|---|
committer | Neels Hofmeyr <neels@hofmeyr.de> | 2018-03-13 01:29:04 +0100 |
commit | fa10eda6d70a4ecb37b6dfe629e665a16f8d3f59 (patch) | |
tree | 8bc2188d25bf2093f2b158e15b264c39bb3cdc3b /include | |
parent | 620ba9369d63c25774975ea0a903b78929e6420c (diff) |
vlr_ciph_result: fix use after free of imeisv
Define the struct vlr_ciph_result member .imeisv not as a char* but a char[] of
appropriate length, to avoid the need to point to external memory.
Thus fix a use-after-free in msc_cipher_mode_compl(), which defined the
imeisv[] buffer in a sub-scope within that function, so that the .imeisv
pointer was already invalid when fed to vlr_subscr_rx_ciph_res().
Did you notice that the commit summary rhymes?
Closes: OS#3053
Change-Id: I90cfb952a7dec6d104200872164ebadb25d0260d
Diffstat (limited to 'include')
-rw-r--r-- | include/osmocom/msc/vlr.h | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/include/osmocom/msc/vlr.h b/include/osmocom/msc/vlr.h index c4b8cf60c..37702a9ee 100644 --- a/include/osmocom/msc/vlr.h +++ b/include/osmocom/msc/vlr.h @@ -74,7 +74,7 @@ enum vlr_ciph_result_cause { struct vlr_ciph_result { enum vlr_ciph_result_cause cause; - const char *imeisv; + char imeisv[GSM48_MI_SIZE]; }; enum vlr_subscr_security_context { |