nitb: Fix IMSI/IMEI buffer handling (Coverity)

Currently the handling of the buffers is not done consistently. Some
code assumes that the whole buffer may be used to store the string
while at other places, the last buffer byte is left untouched in the
assumption that it contains a terminating NUL-character. The latter
is the correct behaviour.

This commit changes to code to not touch the last byte in the buffers
and to rely on the last byte being NUL. So the maximum IMSI/IMEI
length is GSM_IMSI_LENGTH-1/GSM_IMEI_LENGTH-1.

For information: We assume that we allocate the structure with
talloc_zero. This means we have NULed the entire imsi array and then
only write sizeof - 1 characters to it. So the last byte remains NUL.

Fixes: Coverity CID 1206568, 1206567
Sponsored-by: On-Waves ehf
This commit is contained in:
Jacob Erlbeck 2015-04-09 14:47:18 +02:00 committed by Holger Hans Peter Freyther
parent 322b1499cd
commit 7ffa7b095f
3 changed files with 4 additions and 5 deletions

View File

@ -112,8 +112,7 @@ struct gsm_subscriber *subscr_get_or_create(struct gsm_subscriber_group *sgrp,
if (!subscr)
return NULL;
strncpy(subscr->imsi, imsi, GSM_IMSI_LENGTH);
subscr->imsi[GSM_IMSI_LENGTH - 1] = '\0';
strncpy(subscr->imsi, imsi, GSM_IMSI_LENGTH-1);
subscr->group = sgrp;
return subscr;
}

View File

@ -565,7 +565,7 @@ static int get_equipment_by_subscr(struct gsm_subscriber *subscr)
string = dbi_result_get_string(result, "imei");
if (string)
strncpy(equip->imei, string, sizeof(equip->imei));
strncpy(equip->imei, string, sizeof(equip->imei)-1);
string = dbi_result_get_string(result, "classmark1");
if (string) {
@ -802,7 +802,7 @@ static void db_set_from_query(struct gsm_subscriber *subscr, dbi_conn result)
const char *string;
string = dbi_result_get_string(result, "imsi");
if (string)
strncpy(subscr->imsi, string, GSM_IMSI_LENGTH);
strncpy(subscr->imsi, string, GSM_IMSI_LENGTH-1);
string = dbi_result_get_string(result, "tmsi");
if (string)

View File

@ -399,7 +399,7 @@ int bsc_ussd_check(struct nat_sccp_connection *con, struct bsc_nat_parsed *parse
if (parsed->bssap != BSSAP_MSG_DTAP)
return 0;
if (strlen(con->imsi) > GSM_IMSI_LENGTH)
if (strlen(con->imsi) >= GSM_IMSI_LENGTH)
return 0;
hdr48 = bsc_unpack_dtap(parsed, msg, &len);