commit 496aee7cb809069133fe37f39ccac7607ec6c9b3
author Jacob Erlbeck <jerlbeck@sysmocom.de> Mon Jan 26 10:38:12 2015 +0100
committer Jacob Erlbeck <jerlbeck@sysmocom.de> Mon Jan 26 10:59:49 2015 +0100
tree 0dd9e72bfc4673d494e419cad7e21b64745f58c2
parent 37139e5933337e3e24f4bd83955c3492123e9ed0

sgsn: Ensure 0-terminated imsi strings (Coverity)

Currently the size argument of strncpy is set to sizeof(mm->imsi) in
some places. If the source IMSI string is too long, the terminating
NUL byte in the static mm->imsi field gets overwritten.

This patch limits the size to sizeof(mm->imsi)-1, so that the last
byte of the buffer (that has been initialized to 0) is not
overwritten.

Fixes: Coverity CID 12065751, 12065754, 1206575

Sponsored-by: On-Waves ehf

openbsc/src/gprs/gprs_gmm.c

diff --git a/openbsc/src/gprs/gprs_gmm.c b/openbsc/src/gprs/gprs_gmm.c
index 1e1372c..03773a6 100644
--- a/openbsc/src/gprs/gprs_gmm.c
+++ b/openbsc/src/gprs/gprs_gmm.c
@@ -765,10 +765,10 @@
 				mm_ctx_cleanup_free(ictx, "GPRS IMSI re-use");
 			}
 		}
-		strncpy(ctx->imsi, mi_string, sizeof(ctx->imsi));
+		strncpy(ctx->imsi, mi_string, sizeof(ctx->imsi) - 1);
 		break;
 	case GSM_MI_TYPE_IMEI:
-		strncpy(ctx->imei, mi_string, sizeof(ctx->imei));
+		strncpy(ctx->imei, mi_string, sizeof(ctx->imei) - 1);
 		break;
 	case GSM_MI_TYPE_IMEISV:
 		break;
@@ -856,7 +856,7 @@
 				reject_cause = GMM_CAUSE_NET_FAIL;
 				goto rejected;
 			}
-			strncpy(ctx->imsi, mi_string, sizeof(ctx->imsi));
+			strncpy(ctx->imsi, mi_string, sizeof(ctx->imsi) - 1);
 #endif
 		}
 		ctx->tlli = msgb_tlli(msg);