diff options
| author | Harald Welte <laforge@gnumonks.org> | 2019-01-20 10:37:49 +0100 |
|---|---|---|
| committer | Harald Welte <laforge@gnumonks.org> | 2019-01-22 14:53:46 +0000 |
| commit | 1c3bae138cea1dbde480ce4382120034eb769e82 (patch) | |
| tree | fc297ba07badb2ae23fa0a93e00457c50b64209b /src/gb | |
| parent | 1317771c9340a9fdc86911206cdc8719a3d2bfe6 (diff) | |
constrain gsm48_generate_mid() output array bounds
The longest BCd-digit type identity is the IMEISV with 16, so there's
no point in trying to parse up to 255 decimal digits, which will do
nothing but to overflow the caller-provided output buffer.
Let's also clearly define the required minimum size of the output
buffer and add a reltead #define for it.
Change-Id: Ic8488bc7f77dc9182e372741b88f0f06100dddc9
Diffstat (limited to 'src/gb')
| -rw-r--r-- | src/gb/gprs_bssgp.c | 4 | ||||
| -rw-r--r-- | src/gb/gprs_bssgp_bss.c | 2 |
2 files changed, 3 insertions, 3 deletions
diff --git a/src/gb/gprs_bssgp.c b/src/gb/gprs_bssgp.c index 3b9fbf95..be7ef9f1 100644 --- a/src/gb/gprs_bssgp.c +++ b/src/gb/gprs_bssgp.c @@ -1156,7 +1156,7 @@ int bssgp_tx_dl_ud(struct msgb *msg, uint16_t pdu_lifetime, /* IMSI */ if (dup->imsi && strlen(dup->imsi)) { - uint8_t mi[10]; + uint8_t mi[GSM48_MID_MAX_SIZE]; int imsi_len = gsm48_generate_mid_from_imsi(mi, dup->imsi); if (imsi_len > 2) msgb_tvlv_push(msg, BSSGP_IE_IMSI, @@ -1205,7 +1205,7 @@ int bssgp_tx_paging(uint16_t nsei, uint16_t ns_bvci, struct bssgp_normal_hdr *bgph = (struct bssgp_normal_hdr *) msgb_put(msg, sizeof(*bgph)); uint16_t drx_params = osmo_htons(pinfo->drx_params); - uint8_t mi[10]; + uint8_t mi[GSM48_MID_MAX_SIZE]; int imsi_len = gsm48_generate_mid_from_imsi(mi, pinfo->imsi); struct gsm48_ra_id ra; diff --git a/src/gb/gprs_bssgp_bss.c b/src/gb/gprs_bssgp_bss.c index 487286c4..77350e27 100644 --- a/src/gb/gprs_bssgp_bss.c +++ b/src/gb/gprs_bssgp_bss.c @@ -178,7 +178,7 @@ int bssgp_tx_radio_status_imsi(struct bssgp_bvc_ctx *bctx, uint8_t cause, const char *imsi) { struct msgb *msg = common_tx_radio_status(bctx); - uint8_t mi[10]; + uint8_t mi[GSM48_MID_MAX_SIZE]; int imsi_len = gsm48_generate_mid_from_imsi(mi, imsi); if (!msg) |