pespin has uploaded this change for review. ( https://gerrit.osmocom.org/c/osmo-mgw/+/28483 )

Change subject: mgcp-client: Avoid string not null terminated access ......................................................................

mgcp-client: Avoid string not null terminated access

...

...

CID 272990:  Memory - illegal accesses  (STRING_NULL)
Passing unterminated string "msg->data" to "mgcp_client_rx", which expects a null-terminated string.

736 ret = mgcp_client_rx(mgcp, msg);

mgcp_response_parse_head() will do: """ r->body = (char *)msg->data; if (sscanf(r->body, "%3d %u %n", ... """

Fixes: Coverity CID#272990 Change-Id: Icb61a22f6dfd6267e469dc3e607e7d634b7d4685 --- M src/libosmo-mgcp-client/mgcp_client.c 1 file changed, 3 insertions(+), 1 deletion(-)

git pull ssh://gerrit.osmocom.org:29418/osmo-mgw refs/changes/83/28483/1

diff --git a/src/libosmo-mgcp-client/mgcp_client.c b/src/libosmo-mgcp-client/mgcp_client.c index 77de23f..8a04b75 100644 --- a/src/libosmo-mgcp-client/mgcp_client.c +++ b/src/libosmo-mgcp-client/mgcp_client.c @@ -719,7 +719,7 @@ return -1; }

- ret = read(fd->fd, msg->data, 4096 - 128); + ret = read(fd->fd, msg->data, (4096 - 1) - 128); if (ret <= 0) { LOGPMGW(mgcp, LOGL_ERROR, "Failed to read: %s: %d='%s'\n", osmo_sock_get_name2(fd->fd), errno, strerror(errno)); @@ -729,6 +729,8 @@ }

msg->l2h = msgb_put(msg, ret); + /* EOS char to avoid out-of-buf str access, not part of the msg: */ + *msg->tail = '\0'; ret = mgcp_client_rx(mgcp, msg); talloc_free(msg); return ret;