paulmataruso/osmo-mgw
1
0
Fork 0
mirror of https://gitea.osmocom.org/cellular-infrastructure/osmo-mgw.git synced 2025-11-04 05:53:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix possible buffer overflow in mgcp_conn_dump()

Browse Source 
mgcp_conn.c: In function ‘mgcp_conn_dump’:
mgcp_conn.c:248:30: warning: ‘/rtp, id:’ directive output may be truncated writing 9 bytes into a region of size between 0 and 255 [-Wformat-truncation=]
   snprintf(str, sizeof(str), "(%s/rtp, id:%u, ip:%s, "
                              ^~~~~~~~~~~~~~~~~~~~~~~~~
mgcp_conn.c:248:30: note: directive argument in the range [0, 65535]
mgcp_conn.c:248:30: note: directive argument in the range [0, 65535]
mgcp_conn.c:248:3: note: ‘snprintf’ output 32 or more bytes (assuming 295) into a destination of size 256
   snprintf(str, sizeof(str), "(%s/rtp, id:%u, ip:%s, "

as mgcp_conn->name can already be up to 256 bytes, a total buffer size
of 256 is insufficient!

Change-Id: I5d48132b1358d19fe72e3901117737b09a42c69c
This commit is contained in:
Harald Welte
2017-11-17 14:28:46 +01:00
parent 9bf7c53779
commit 1b0cf6fa1c
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/libosmo-mgcp/mgcp_conn.c
View File

@@ -235,7 +235,7 @@ void mgcp_conn_free_all(struct mgcp_endpoint *endp)
* \returns human readble string */
char *mgcp_conn_dump(struct mgcp_conn *conn)
{
static char str[256];
static char str[sizeof(conn->name)+256];
if (!conn) {
snprintf(str, sizeof(str), "(null connection)");