pespin has uploaded this change for review.
mgcp-client: Avoid string not null terminated access
>>> CID 272990: Memory - illegal accesses (STRING_NULL)
>>> Passing unterminated string "msg->data" to "mgcp_client_rx", which expects a null-terminated string.
736 ret = mgcp_client_rx(mgcp, msg);
mgcp_response_parse_head() will do:
"""
r->body = (char *)msg->data;
if (sscanf(r->body, "%3d %u %n", ...
"""
Fixes: Coverity CID#272990
Change-Id: Icb61a22f6dfd6267e469dc3e607e7d634b7d4685
---
M src/libosmo-mgcp-client/mgcp_client.c
1 file changed, 3 insertions(+), 1 deletion(-)
git pull ssh://gerrit.osmocom.org:29418/osmo-mgw refs/changes/83/28483/1
diff --git a/src/libosmo-mgcp-client/mgcp_client.c b/src/libosmo-mgcp-client/mgcp_client.c
index 77de23f..8a04b75 100644
--- a/src/libosmo-mgcp-client/mgcp_client.c
+++ b/src/libosmo-mgcp-client/mgcp_client.c
@@ -719,7 +719,7 @@
return -1;
}
- ret = read(fd->fd, msg->data, 4096 - 128);
+ ret = read(fd->fd, msg->data, (4096 - 1) - 128);
if (ret <= 0) {
LOGPMGW(mgcp, LOGL_ERROR, "Failed to read: %s: %d='%s'\n",
osmo_sock_get_name2(fd->fd), errno, strerror(errno));
@@ -729,6 +729,8 @@
}
msg->l2h = msgb_put(msg, ret);
+ /* EOS char to avoid out-of-buf str access, not part of the msg: */
+ *msg->tail = '\0';
ret = mgcp_client_rx(mgcp, msg);
talloc_free(msg);
return ret;
To view, visit change 28483. To unsubscribe, or for help writing mail filters, visit settings.