sgsn: Ensure 0-terminated imsi strings (Coverity)
Currently the size argument of strncpy is set to sizeof(mm->imsi) in
some places. If the source IMSI string is too long, the terminating
NUL byte in the static mm->imsi field gets overwritten.
This patch limits the size to sizeof(mm->imsi)-1, so that the last
byte of the buffer (that has been initialized to 0) is not
overwritten.
Fixes: Coverity CID 12065751, 12065754, 1206575
Sponsored-by: On-Waves ehf
diff --git a/openbsc/src/gprs/gprs_gmm.c b/openbsc/src/gprs/gprs_gmm.c
index 1e1372c..03773a6 100644
--- a/openbsc/src/gprs/gprs_gmm.c
+++ b/openbsc/src/gprs/gprs_gmm.c
@@ -765,10 +765,10 @@
mm_ctx_cleanup_free(ictx, "GPRS IMSI re-use");
}
}
- strncpy(ctx->imsi, mi_string, sizeof(ctx->imsi));
+ strncpy(ctx->imsi, mi_string, sizeof(ctx->imsi) - 1);
break;
case GSM_MI_TYPE_IMEI:
- strncpy(ctx->imei, mi_string, sizeof(ctx->imei));
+ strncpy(ctx->imei, mi_string, sizeof(ctx->imei) - 1);
break;
case GSM_MI_TYPE_IMEISV:
break;
@@ -856,7 +856,7 @@
reject_cause = GMM_CAUSE_NET_FAIL;
goto rejected;
}
- strncpy(ctx->imsi, mi_string, sizeof(ctx->imsi));
+ strncpy(ctx->imsi, mi_string, sizeof(ctx->imsi) - 1);
#endif
}
ctx->tlli = msgb_tlli(msg);
diff --git a/openbsc/src/gprs/sgsn_auth.c b/openbsc/src/gprs/sgsn_auth.c
index d77a021..b83294d 100644
--- a/openbsc/src/gprs/sgsn_auth.c
+++ b/openbsc/src/gprs/sgsn_auth.c
@@ -61,7 +61,7 @@
acl = talloc_zero(NULL, struct imsi_acl_entry);
if (!acl)
return -ENOMEM;
- strncpy(acl->imsi, imsi, sizeof(acl->imsi));
+ strncpy(acl->imsi, imsi, sizeof(acl->imsi) - 1);
llist_add(&acl->list, &cfg->imsi_acl);