vlr_ciph_result: fix use after free of imeisv Define the struct vlr_ciph_result member .imeisv not as a char* but a char[] of appropriate length, to avoid the need to point to external memory. Thus fix a use-after-free in msc_cipher_mode_compl(), which defined the imeisv[] buffer in a sub-scope within that function, so that the .imeisv pointer was already invalid when fed to vlr_subscr_rx_ciph_res(). Did you notice that the commit summary rhymes? Closes: OS#3053 Change-Id: I90cfb952a7dec6d104200872164ebadb25d0260d

commit: fa10eda6d70a4ecb37b6dfe629e665a16f8d3f59 [log] [tgz]
author: Neels Hofmeyr <neels@hofmeyr.de> Tue Mar 13 01:22:01 2018 +0100
committer: Neels Hofmeyr <neels@hofmeyr.de> Tue Mar 13 01:29:04 2018 +0100
tree: 8bc2188d25bf2093f2b158e15b264c39bb3cdc3b
parent: 620ba9369d63c25774975ea0a903b78929e6420c [diff] [blame]
diff --git a/src/libvlr/vlr_lu_fsm.c b/src/libvlr/vlr_lu_fsm.c
index c6fd080..9a4a239 100644
--- a/src/libvlr/vlr_lu_fsm.c
+++ b/src/libvlr/vlr_lu_fsm.c

@@ -1165,7 +1165,7 @@
 		return;
 	}
 
-	if (res.imeisv) {
+	if (*res.imeisv) {
 		LOGPFSM(fi, "got IMEISV: %s\n", res.imeisv);
 		vlr_subscr_set_imeisv(vsub, res.imeisv);
 	}
commit	fa10eda6d70a4ecb37b6dfe629e665a16f8d3f59	[log] [tgz]
author	Neels Hofmeyr <neels@hofmeyr.de>	Tue Mar 13 01:22:01 2018 +0100
committer	Neels Hofmeyr <neels@hofmeyr.de>	Tue Mar 13 01:29:04 2018 +0100
tree	8bc2188d25bf2093f2b158e15b264c39bb3cdc3b
parent	620ba9369d63c25774975ea0a903b78929e6420c [diff] [blame]