paulmataruso/osmo-hlr
1
0
Fork 0
mirror of https://gitea.osmocom.org/cellular-infrastructure/osmo-hlr.git synced 2025-11-02 05:03:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

hlr.c: Avoid overflow of lu_operation.subscr.imsi

Browse Source 
It appears that hlr_subscriber.imsi is 16 buffers in size:
15 chars for IMSI + 1 byte NUL.  However,  osmo_gsup_message.imsi
is 17 bytes (for whatever reason), so we cannot simply do a strpy()
as this might overflow the hlr_subscriber.imsi field!

TODO: check if weactually ever receive a too-long IMSI in GSUP and
reject that at an earlier time in the code flow.

Fixes: Coverity CID#164746

Change-Id: I9ff94e6bb0ad2ad2a7c010d3ea7dad9af0f3c048
This commit is contained in:
Harald Welte
2017-11-06 03:55:02 +09:00
committed by Neels Hofmeyr
parent 87a04b6b95
commit bd0d5bf5d8
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/hlr.c
View File

@@ -164,7 +164,7 @@ static int rx_upd_loc_req(struct osmo_gsup_conn *conn,
/* check if subscriber is known at all */
if (!lu_op_fill_subscr(luop, g_hlr->dbc, gsup->imsi)) {
/* Send Error back: Subscriber Unknown in HLR */
strcpy(luop->subscr.imsi, gsup->imsi);
osmo_strlcpy(luop->subscr.imsi, gsup->imsi, sizeof(luop->subscr.imsi));
lu_op_tx_error(luop, GMM_CAUSE_IMSI_UNKNOWN);
return 0;
}