sgsn: Ensure 0-terminated imsi strings (Coverity) Currently the size argument of strncpy is set to sizeof(mm->imsi) in some places. If the source IMSI string is too long, the terminating NUL byte in the static mm->imsi field gets overwritten. This patch limits the size to sizeof(mm->imsi)-1, so that the last byte of the buffer (that has been initialized to 0) is not overwritten. Fixes: Coverity CID 12065751, 12065754, 1206575 Sponsored-by: On-Waves ehf

commit: b485ee98f7e0a1c224bc62f1b39f9f347ae9ca3b [log] [tgz]
author: Jacob Erlbeck <jerlbeck@sysmocom.de> Mon Jan 26 10:38:12 2015 +0100
committer: Jacob Erlbeck <jerlbeck@sysmocom.de> Mon Jan 26 10:59:49 2015 +0100
tree: 0dd9e72bfc4673d494e419cad7e21b64745f58c2
parent: 7a7d8817f33045982a88f5c2056856ce3f6d676e [diff] [blame]
diff --git a/openbsc/src/gprs/sgsn_auth.c b/openbsc/src/gprs/sgsn_auth.c
index d77a021..b83294d 100644
--- a/openbsc/src/gprs/sgsn_auth.c
+++ b/openbsc/src/gprs/sgsn_auth.c

@@ -61,7 +61,7 @@
 	acl = talloc_zero(NULL, struct imsi_acl_entry);
 	if (!acl)
 		return -ENOMEM;
-	strncpy(acl->imsi, imsi, sizeof(acl->imsi));
+	strncpy(acl->imsi, imsi, sizeof(acl->imsi) - 1);
 
 	llist_add(&acl->list, &cfg->imsi_acl);
commit	b485ee98f7e0a1c224bc62f1b39f9f347ae9ca3b	[log] [tgz]
author	Jacob Erlbeck <jerlbeck@sysmocom.de>	Mon Jan 26 10:38:12 2015 +0100
committer	Jacob Erlbeck <jerlbeck@sysmocom.de>	Mon Jan 26 10:59:49 2015 +0100
tree	0dd9e72bfc4673d494e419cad7e21b64745f58c2
parent	7a7d8817f33045982a88f5c2056856ce3f6d676e [diff] [blame]