sgsn: Ensure 0-terminated imsi strings (Coverity)
Currently the size argument of strncpy is set to sizeof(mm->imsi) in some places. If the source IMSI string is too long, the terminating NUL byte in the static mm->imsi field gets overwritten. This patch limits the size to sizeof(mm->imsi)-1, so that the last byte of the buffer (that has been initialized to 0) is not overwritten. Fixes: Coverity CID 12065751, 12065754, 1206575 Sponsored-by: On-Waves ehf
This commit is contained in:
parent
37139e5933
commit
496aee7cb8
|
@ -765,10 +765,10 @@ static int gsm48_rx_gmm_id_resp(struct sgsn_mm_ctx *ctx, struct msgb *msg)
|
|||
mm_ctx_cleanup_free(ictx, "GPRS IMSI re-use");
|
||||
}
|
||||
}
|
||||
strncpy(ctx->imsi, mi_string, sizeof(ctx->imsi));
|
||||
strncpy(ctx->imsi, mi_string, sizeof(ctx->imsi) - 1);
|
||||
break;
|
||||
case GSM_MI_TYPE_IMEI:
|
||||
strncpy(ctx->imei, mi_string, sizeof(ctx->imei));
|
||||
strncpy(ctx->imei, mi_string, sizeof(ctx->imei) - 1);
|
||||
break;
|
||||
case GSM_MI_TYPE_IMEISV:
|
||||
break;
|
||||
|
@ -856,7 +856,7 @@ static int gsm48_rx_gmm_att_req(struct sgsn_mm_ctx *ctx, struct msgb *msg,
|
|||
reject_cause = GMM_CAUSE_NET_FAIL;
|
||||
goto rejected;
|
||||
}
|
||||
strncpy(ctx->imsi, mi_string, sizeof(ctx->imsi));
|
||||
strncpy(ctx->imsi, mi_string, sizeof(ctx->imsi) - 1);
|
||||
#endif
|
||||
}
|
||||
ctx->tlli = msgb_tlli(msg);
|
||||
|
|
|
@ -61,7 +61,7 @@ int sgsn_acl_add(const char *imsi, struct sgsn_config *cfg)
|
|||
acl = talloc_zero(NULL, struct imsi_acl_entry);
|
||||
if (!acl)
|
||||
return -ENOMEM;
|
||||
strncpy(acl->imsi, imsi, sizeof(acl->imsi));
|
||||
strncpy(acl->imsi, imsi, sizeof(acl->imsi) - 1);
|
||||
|
||||
llist_add(&acl->list, &cfg->imsi_acl);
|
||||
|
||||
|
|
Loading…
Reference in New Issue