sgsn: Ensure 0-terminated imsi strings (Coverity)

Currently the size argument of strncpy is set to sizeof(mm->imsi) in
some places. If the source IMSI string is too long, the terminating
NUL byte in the static mm->imsi field gets overwritten.

This patch limits the size to sizeof(mm->imsi)-1, so that the last
byte of the buffer (that has been initialized to 0) is not
overwritten.

Fixes: Coverity CID 12065751, 12065754, 1206575

Sponsored-by: On-Waves ehf

openbsc/src/gprs/gprs_gmm.c

@@ -765,10 +765,10 @@ static int gsm48_rx_gmm_id_resp(struct sgsn_mm_ctx *ctx, struct msgb *msg)
 				mm_ctx_cleanup_free(ictx, "GPRS IMSI re-use");
 			}
 		}
-		strncpy(ctx->imsi, mi_string, sizeof(ctx->imsi));
+		strncpy(ctx->imsi, mi_string, sizeof(ctx->imsi) - 1);
 		break;
 	case GSM_MI_TYPE_IMEI:
-		strncpy(ctx->imei, mi_string, sizeof(ctx->imei));
+		strncpy(ctx->imei, mi_string, sizeof(ctx->imei) - 1);
 		break;
 	case GSM_MI_TYPE_IMEISV:
 		break;
@@ -856,7 +856,7 @@ static int gsm48_rx_gmm_att_req(struct sgsn_mm_ctx *ctx, struct msgb *msg,
 				reject_cause = GMM_CAUSE_NET_FAIL;
 				goto rejected;
 			}
-			strncpy(ctx->imsi, mi_string, sizeof(ctx->imsi));
+			strncpy(ctx->imsi, mi_string, sizeof(ctx->imsi) - 1);
 #endif
 		}
 		ctx->tlli = msgb_tlli(msg);

openbsc/src/gprs/sgsn_auth.c

@@ -61,7 +61,7 @@ int sgsn_acl_add(const char *imsi, struct sgsn_config *cfg)
 	acl = talloc_zero(NULL, struct imsi_acl_entry);
 	if (!acl)
 		return -ENOMEM;
-	strncpy(acl->imsi, imsi, sizeof(acl->imsi));
+	strncpy(acl->imsi, imsi, sizeof(acl->imsi) - 1);
 
 	llist_add(&acl->list, &cfg->imsi_acl);