Currently the size of the IMSI pointer is used instead of the size of the talloc'ed buffer.
This commit changes the call to gsm48_mi_to_string to use the same value that has been used with talloc_zero_size(). The length is changed to 17 since that value is used for GSM_IMSI_LENGTH in openbsc.
Fixes: Coverity CID 1040663 Sponsored-by: On-Waves ehf --- src/gb/gprs_bssgp_bss.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/gb/gprs_bssgp_bss.c b/src/gb/gprs_bssgp_bss.c index 962bf2e..3a9012e 100644 --- a/src/gb/gprs_bssgp_bss.c +++ b/src/gb/gprs_bssgp_bss.c @@ -34,6 +34,8 @@
#include "common_vty.h"
+#define GSM_IMSI_LENGTH 17 + uint8_t *bssgp_msgb_tlli_put(struct msgb *msg, uint32_t tlli) { uint32_t _tlli = htonl(tlli); @@ -498,8 +500,8 @@ int bssgp_rx_paging(struct bssgp_paging_info *pinfo, if (!TLVP_PRESENT(&tp, BSSGP_IE_IMSI)) goto err_mand_ie; if (!pinfo->imsi) - pinfo->imsi = talloc_zero_size(pinfo, 16); - gsm48_mi_to_string(pinfo->imsi, sizeof(pinfo->imsi), + pinfo->imsi = talloc_zero_size(pinfo, GSM_IMSI_LENGTH); + gsm48_mi_to_string(pinfo->imsi, GSM_IMSI_LENGTH, TLVP_VAL(&tp, BSSGP_IE_IMSI), TLVP_LEN(&tp, BSSGP_IE_IMSI));
On 18 Jun 2015, at 13:21, Jacob Erlbeck jerlbeck@sysmocom.de wrote:
Currently the size of the IMSI pointer is used instead of the size of the talloc'ed buffer.
This commit changes the call to gsm48_mi_to_string to use the same value that has been used with talloc_zero_size(). The length is changed to 17 since that value is used for GSM_IMSI_LENGTH in openbsc.
Thank you. It feels good to close the amount of open coverity issues. Could you identify a good place to put the IMSI_LENGTH/MSISDN_LENGTH in a header file of libosmogsm? I think we have two definitions in OpenBSC now and one in libosmocore.
have a nice weekend holger
-
Holger Freyther -
Jacob Erlbeck