diff options
| author | Jacob Erlbeck <jerlbeck@sysmocom.de> | 2015-06-18 13:21:30 +0200 |
|---|---|---|
| committer | Holger Hans Peter Freyther <holger@moiji-mobile.com> | 2015-06-19 20:54:28 +0200 |
| commit | c1cb75eff5b060da9e6d43521e4913a8bf4e74fc (patch) | |
| tree | a7461fe74480669cfaaab74c56ff638e3ca4f671 | |
| parent | 2c58197e5d717c5eb24e2b8cecac43c2afdff22a (diff) | |
bssgp: Fix IMSI buffer size (Coverity)
Currently the size of the IMSI pointer is used instead of the size of
the talloc'ed buffer.
This commit changes the call to gsm48_mi_to_string to use the same
value that has been used with talloc_zero_size(). The length is
changed to 17 since that value is used for GSM_IMSI_LENGTH in
openbsc.
Fixes: Coverity CID 1040663
Sponsored-by: On-Waves ehf
| -rw-r--r-- | src/gb/gprs_bssgp_bss.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/src/gb/gprs_bssgp_bss.c b/src/gb/gprs_bssgp_bss.c index 962bf2e8..3a9012e1 100644 --- a/src/gb/gprs_bssgp_bss.c +++ b/src/gb/gprs_bssgp_bss.c @@ -34,6 +34,8 @@ #include "common_vty.h" +#define GSM_IMSI_LENGTH 17 + uint8_t *bssgp_msgb_tlli_put(struct msgb *msg, uint32_t tlli) { uint32_t _tlli = htonl(tlli); @@ -498,8 +500,8 @@ int bssgp_rx_paging(struct bssgp_paging_info *pinfo, if (!TLVP_PRESENT(&tp, BSSGP_IE_IMSI)) goto err_mand_ie; if (!pinfo->imsi) - pinfo->imsi = talloc_zero_size(pinfo, 16); - gsm48_mi_to_string(pinfo->imsi, sizeof(pinfo->imsi), + pinfo->imsi = talloc_zero_size(pinfo, GSM_IMSI_LENGTH); + gsm48_mi_to_string(pinfo->imsi, GSM_IMSI_LENGTH, TLVP_VAL(&tp, BSSGP_IE_IMSI), TLVP_LEN(&tp, BSSGP_IE_IMSI)); |