From 59504dc80fe8c0d9a18994d82586a550c7efa341 Mon Sep 17 00:00:00 2001
From: Neels Hofmeyr <nhofmeyr@sysmocom.de>
Date: Fri, 13 Jan 2017 03:10:54 +0100
Subject: [PATCH] fix strncpy() invocation in vty_interface_layer3.c and 3
 tests

Use osmo_strlcpy() to fix unsafe invocation of strncpy(), which potentially
left the result unterminated.

Change-Id: I1a119b1760a3e3262538b4b012d476fdce505482
---
 openbsc/src/libcommon/gsup_test_client.c  | 7 ++++---
 openbsc/src/libmsc/vty_interface_layer3.c | 2 +-
 openbsc/tests/mgcp/mgcp_test.c            | 3 ++-
 openbsc/tests/sgsn/sgsn_test.c            | 3 ++-
 4 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/openbsc/src/libcommon/gsup_test_client.c b/openbsc/src/libcommon/gsup_test_client.c
index 1889c6fde..861212a64 100644
--- a/openbsc/src/libcommon/gsup_test_client.c
+++ b/openbsc/src/libcommon/gsup_test_client.c
@@ -7,6 +7,7 @@
 #include <osmocom/core/msgb.h>
 #include <osmocom/core/select.h>
 #include <osmocom/core/application.h>
+#include <osmocom/core/utils.h>
 #include <osmocom/gsm/gsup.h>
 
 #include <openbsc/gsup_client.h>
@@ -108,7 +109,7 @@ int req_auth_info(const char *imsi)
 	struct osmo_gsup_message gsup = {0};
 	struct msgb *msg = msgb_alloc_headroom(1200, 200, __func__);
 
-	strncpy(gsup.imsi, io->imsi, sizeof(gsup.imsi));
+	osmo_strlcpy(gsup.imsi, io->imsi, sizeof(gsup.imsi));
 	gsup.message_type = OSMO_GSUP_MSGT_SEND_AUTH_INFO_REQUEST;
 
 	osmo_gsup_encode(msg, &gsup);
@@ -123,7 +124,7 @@ int req_loc_upd(const char *imsi)
 	struct osmo_gsup_message gsup = {0};
 	struct msgb *msg = msgb_alloc_headroom(1200, 200, __func__);
 
-	strncpy(gsup.imsi, io->imsi, sizeof(gsup.imsi));
+	osmo_strlcpy(gsup.imsi, io->imsi, sizeof(gsup.imsi));
 	gsup.message_type = OSMO_GSUP_MSGT_UPDATE_LOCATION_REQUEST;
 
 	osmo_gsup_encode(msg, &gsup);
@@ -136,7 +137,7 @@ int resp_isd(struct imsi_op *io)
 	struct osmo_gsup_message gsup = {0};
 	struct msgb *msg = msgb_alloc_headroom(1200, 200, __func__);
 
-	strncpy(gsup.imsi, io->imsi, sizeof(gsup.imsi));
+	osmo_strlcpy(gsup.imsi, io->imsi, sizeof(gsup.imsi));
 	gsup.message_type = OSMO_GSUP_MSGT_INSERT_DATA_RESULT;
 
 	osmo_gsup_encode(msg, &gsup);
diff --git a/openbsc/src/libmsc/vty_interface_layer3.c b/openbsc/src/libmsc/vty_interface_layer3.c
index edece51c2..4f412b106 100644
--- a/openbsc/src/libmsc/vty_interface_layer3.c
+++ b/openbsc/src/libmsc/vty_interface_layer3.c
@@ -601,7 +601,7 @@ DEFUN(ena_subscr_extension,
 		return CMD_WARNING;
 	}
 
-	strncpy(subscr->extension, ext, sizeof(subscr->extension));
+	osmo_strlcpy(subscr->extension, ext, sizeof(subscr->extension));
 	db_sync_subscriber(subscr);
 
 	subscr_put(subscr);
diff --git a/openbsc/tests/mgcp/mgcp_test.c b/openbsc/tests/mgcp/mgcp_test.c
index e2dc8fa37..b2d237ef5 100644
--- a/openbsc/tests/mgcp/mgcp_test.c
+++ b/openbsc/tests/mgcp/mgcp_test.c
@@ -25,6 +25,7 @@
 
 #include <osmocom/core/application.h>
 #include <osmocom/core/talloc.h>
+#include <osmocom/core/utils.h>
 #include <string.h>
 #include <limits.h>
 #include <dlfcn.h>
@@ -54,7 +55,7 @@ static void test_strline(void)
 	char buf[2048];
 	int counter = 0;
 
-	strncpy(buf, strline_test_data, sizeof(buf));
+	osmo_strlcpy(buf, strline_test_data, sizeof(buf));
 
 	for (line = strline_r(buf, &save); line;
 	     line = strline_r(NULL, &save)) {
diff --git a/openbsc/tests/sgsn/sgsn_test.c b/openbsc/tests/sgsn/sgsn_test.c
index b4bcaf662..fea635e9b 100644
--- a/openbsc/tests/sgsn/sgsn_test.c
+++ b/openbsc/tests/sgsn/sgsn_test.c
@@ -36,6 +36,7 @@
 #include <osmocom/core/application.h>
 #include <osmocom/core/msgb.h>
 #include <osmocom/core/rate_ctr.h>
+#include <osmocom/core/utils.h>
 
 #include <stdio.h>
 
@@ -1292,7 +1293,7 @@ int my_gsup_client_send(struct gsup_client *gsupc, struct msgb *msg)
 	rc = osmo_gsup_decode(msgb_data(msg), msgb_length(msg), &to_peer);
 	OSMO_ASSERT(rc >= 0);
 	OSMO_ASSERT(to_peer.imsi[0] != 0);
-	strncpy(from_peer.imsi, to_peer.imsi, sizeof(from_peer.imsi));
+	osmo_strlcpy(from_peer.imsi, to_peer.imsi, sizeof(from_peer.imsi));
 
 	/* This invalidates the pointers in to_peer */
 	msgb_free(msg);