diff options
author | Jacob Erlbeck <jerlbeck@sysmocom.de> | 2014-10-28 14:57:53 +0100 |
---|---|---|
committer | Jacob Erlbeck <jerlbeck@sysmocom.de> | 2014-10-28 15:17:02 +0100 |
commit | 76606d3473b61963a4d87bdad9f002e6191b9ece (patch) | |
tree | 615e2ff4e5cfb4093772f86e24ab893923e4a4d0 | |
parent | 5a38f6470e74b0d7d7746fa65573f2acf76197eb (diff) |
nitb/ctrl: Fix access to freed memory in verify_subscriber_modify
Currently the temporary string 'tmp' is freed before parts of it are
referenced. This lets address sanitizer complain when evaluating
strlen(imsi), where imsi points into the 'tmp' data block.
This patch moves the talloc_free to the end of the function and uses
a rc variable instead of using early returns.
Addresses:
testSubscriberAddRemove (__main__.TestCtrlNITB) ... Launch:
./src/osmo-nitb/osmo-nitb -c
./doc/examples/osmo-nitb/nanobts/openbsc.cfg -l test_hlr.sqlite3
Connecting to host 127.0.0.1:4249
Sending "SET 1000 subscriber-modify-v1 2620345,445566"
Decoded replies: {}
ERROR
Sponsored-by: On-Waves ehf
-rw-r--r-- | openbsc/src/libmsc/ctrl_commands.c | 16 |
1 files changed, 9 insertions, 7 deletions
diff --git a/openbsc/src/libmsc/ctrl_commands.c b/openbsc/src/libmsc/ctrl_commands.c index df85c8e88..702a7ae21 100644 --- a/openbsc/src/libmsc/ctrl_commands.c +++ b/openbsc/src/libmsc/ctrl_commands.c @@ -27,6 +27,7 @@ static int verify_subscriber_modify(struct ctrl_cmd *cmd, const char *value, void *d) { char *tmp, *imsi, *msisdn, *saveptr = NULL; + int rc = 0; tmp = talloc_strdup(cmd, value); if (!tmp) @@ -34,15 +35,16 @@ static int verify_subscriber_modify(struct ctrl_cmd *cmd, const char *value, voi imsi = strtok_r(tmp, ",", &saveptr); msisdn = strtok_r(NULL, ",", &saveptr); - talloc_free(tmp); if (!imsi || !msisdn) - return 1; - if (strlen(imsi) >= GSM_IMSI_LENGTH) - return 1; - if (strlen(msisdn) >= GSM_EXTENSION_LENGTH) - return 1; - return 0; + rc = 1; + else if (strlen(imsi) >= GSM_IMSI_LENGTH) + rc = 1; + else if (strlen(msisdn) >= GSM_EXTENSION_LENGTH) + rc = 1; + + talloc_free(tmp); + return rc; } static int get_subscriber_modify(struct ctrl_cmd *cmd, void *data) |