This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.
Neels Hofmeyr gerrit-no-reply at lists.osmocom.orgNeels Hofmeyr has submitted this change and it was merged.
Change subject: hlr.c: Avoid overflow of lu_operation.subscr.imsi
......................................................................
hlr.c: Avoid overflow of lu_operation.subscr.imsi
It appears that hlr_subscriber.imsi is 16 buffers in size:
15 chars for IMSI + 1 byte NUL. However, osmo_gsup_message.imsi
is 17 bytes (for whatever reason), so we cannot simply do a strpy()
as this might overflow the hlr_subscriber.imsi field!
TODO: check if weactually ever receive a too-long IMSI in GSUP and
reject that at an earlier time in the code flow.
Fixes: Coverity CID#164746
Change-Id: I9ff94e6bb0ad2ad2a7c010d3ea7dad9af0f3c048
---
M src/hlr.c
1 file changed, 1 insertion(+), 1 deletion(-)
Approvals:
Neels Hofmeyr: Looks good to me, approved
Jenkins Builder: Verified
diff --git a/src/hlr.c b/src/hlr.c
index 6310526..78a7055 100644
--- a/src/hlr.c
+++ b/src/hlr.c
@@ -164,7 +164,7 @@
/* check if subscriber is known at all */
if (!lu_op_fill_subscr(luop, g_hlr->dbc, gsup->imsi)) {
/* Send Error back: Subscriber Unknown in HLR */
- strcpy(luop->subscr.imsi, gsup->imsi);
+ osmo_strlcpy(luop->subscr.imsi, gsup->imsi, sizeof(luop->subscr.imsi));
lu_op_tx_error(luop, GMM_CAUSE_IMSI_UNKNOWN);
return 0;
}
--
To view, visit https://gerrit.osmocom.org/4695
To unsubscribe, visit https://gerrit.osmocom.org/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I9ff94e6bb0ad2ad2a7c010d3ea7dad9af0f3c048
Gerrit-PatchSet: 2
Gerrit-Project: osmo-hlr
Gerrit-Branch: master
Gerrit-Owner: Harald Welte <laforge at gnumonks.org>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: Neels Hofmeyr <nhofmeyr at sysmocom.de>