nitb: Check source string length before calling strncpy (Coverity)
Currently some VTY command do neither check the length of the source
string before calling strncpy nor ensure NUL-termination afterwards.
This can to destination string buffers whose contents are not
NUL-teminated.
This commit adds checks and corresponding warnings to the VTY
commands 'subscriber TYPE ID name .NAME" and "subscriber TYPE ID
extension EXTENSION".
Fixes: Coverity CID 1206570, 1206569
Sponsored-by: On-Waves ehf
diff --git a/openbsc/src/libmsc/vty_interface_layer3.c b/openbsc/src/libmsc/vty_interface_layer3.c
index 68d9c44..558db5e 100644
--- a/openbsc/src/libmsc/vty_interface_layer3.c
+++ b/openbsc/src/libmsc/vty_interface_layer3.c
@@ -548,6 +548,13 @@
return CMD_WARNING;
}
+ if (strlen(name) > sizeof(subscr->name)-1) {
+ vty_out(vty,
+ "%% NAME is too long, max. %d characters are allowed%s",
+ sizeof(subscr->name)-1, VTY_NEWLINE);
+ return CMD_WARNING;
+ }
+
strncpy(subscr->name, name, sizeof(subscr->name));
talloc_free(name);
db_sync_subscriber(subscr);
@@ -574,6 +581,13 @@
return CMD_WARNING;
}
+ if (strlen(ext) > sizeof(subscr->extension)-1) {
+ vty_out(vty,
+ "%% EXTENSION is too long, max. %d characters are allowed%s",
+ sizeof(subscr->extension)-1, VTY_NEWLINE);
+ return CMD_WARNING;
+ }
+
strncpy(subscr->extension, ext, sizeof(subscr->extension));
db_sync_subscriber(subscr);