nitb/ctrl: Fix access to freed memory in verify_subscriber_modify
Currently the temporary string 'tmp' is freed before parts of it are referenced. This lets address sanitizer complain when evaluating strlen(imsi), where imsi points into the 'tmp' data block. This patch moves the talloc_free to the end of the function and uses a rc variable instead of using early returns. Addresses: testSubscriberAddRemove (__main__.TestCtrlNITB) ... Launch: ./src/osmo-nitb/osmo-nitb -c ./doc/examples/osmo-nitb/nanobts/openbsc.cfg -l test_hlr.sqlite3 Connecting to host 127.0.0.1:4249 Sending "SET 1000 subscriber-modify-v1 2620345,445566" Decoded replies: {} ERROR Sponsored-by: On-Waves ehf
This commit is contained in:
parent
5a38f6470e
commit
76606d3473
|
@ -27,6 +27,7 @@
|
||||||
static int verify_subscriber_modify(struct ctrl_cmd *cmd, const char *value, void *d)
|
static int verify_subscriber_modify(struct ctrl_cmd *cmd, const char *value, void *d)
|
||||||
{
|
{
|
||||||
char *tmp, *imsi, *msisdn, *saveptr = NULL;
|
char *tmp, *imsi, *msisdn, *saveptr = NULL;
|
||||||
|
int rc = 0;
|
||||||
|
|
||||||
tmp = talloc_strdup(cmd, value);
|
tmp = talloc_strdup(cmd, value);
|
||||||
if (!tmp)
|
if (!tmp)
|
||||||
|
@ -34,15 +35,16 @@ static int verify_subscriber_modify(struct ctrl_cmd *cmd, const char *value, voi
|
||||||
|
|
||||||
imsi = strtok_r(tmp, ",", &saveptr);
|
imsi = strtok_r(tmp, ",", &saveptr);
|
||||||
msisdn = strtok_r(NULL, ",", &saveptr);
|
msisdn = strtok_r(NULL, ",", &saveptr);
|
||||||
talloc_free(tmp);
|
|
||||||
|
|
||||||
if (!imsi || !msisdn)
|
if (!imsi || !msisdn)
|
||||||
return 1;
|
rc = 1;
|
||||||
if (strlen(imsi) >= GSM_IMSI_LENGTH)
|
else if (strlen(imsi) >= GSM_IMSI_LENGTH)
|
||||||
return 1;
|
rc = 1;
|
||||||
if (strlen(msisdn) >= GSM_EXTENSION_LENGTH)
|
else if (strlen(msisdn) >= GSM_EXTENSION_LENGTH)
|
||||||
return 1;
|
rc = 1;
|
||||||
return 0;
|
|
||||||
|
talloc_free(tmp);
|
||||||
|
return rc;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int get_subscriber_modify(struct ctrl_cmd *cmd, void *data)
|
static int get_subscriber_modify(struct ctrl_cmd *cmd, void *data)
|
||||||
|
|
Loading…
Reference in New Issue