diff options
| -rw-r--r-- | src/gb/gprs_bssgp.c | 14 | ||||
| -rw-r--r-- | src/gb/gprs_bssgp_bss.c | 8 |
2 files changed, 21 insertions, 1 deletions
diff --git a/src/gb/gprs_bssgp.c b/src/gb/gprs_bssgp.c index be7ef9f1..4a4bab3e 100644 --- a/src/gb/gprs_bssgp.c +++ b/src/gb/gprs_bssgp.c @@ -1157,10 +1157,17 @@ int bssgp_tx_dl_ud(struct msgb *msg, uint16_t pdu_lifetime, /* IMSI */ if (dup->imsi && strlen(dup->imsi)) { uint8_t mi[GSM48_MID_MAX_SIZE]; +/* gsm48_generate_mid_from_imsi() is guaranteed to never return more than 11, + * but somehow gcc (8.2) is not smart enough to figure this out and claims that + * the memcpy in msgb_tvlv_put() below will cause and out-of-bounds access up to + * mi[131], which is wrong */ +#pragma GCC diagnostic push +#pragma GCC diagnostic ignored "-Warray-bounds" int imsi_len = gsm48_generate_mid_from_imsi(mi, dup->imsi); if (imsi_len > 2) msgb_tvlv_push(msg, BSSGP_IE_IMSI, imsi_len-2, mi+2); +#pragma GCC diagnostic pop } /* DRX parameters */ @@ -1220,7 +1227,14 @@ int bssgp_tx_paging(uint16_t nsei, uint16_t ns_bvci, else bgph->pdu_type = BSSGP_PDUT_PAGING_CS; /* IMSI */ +/* gsm48_generate_mid_from_imsi() is guaranteed to never return more than 11, + * but somehow gcc (8.2) is not smart enough to figure this out and claims that + * the memcpy in msgb_tvlv_put() below will cause and out-of-bounds access up to + * mi[131], which is wrong */ +#pragma GCC diagnostic push +#pragma GCC diagnostic ignored "-Warray-bounds" msgb_tvlv_put(msg, BSSGP_IE_IMSI, imsi_len-2, mi+2); +#pragma GCC diagnostic pop /* DRX Parameters */ msgb_tvlv_put(msg, BSSGP_IE_DRX_PARAMS, 2, (uint8_t *) &drx_params); diff --git a/src/gb/gprs_bssgp_bss.c b/src/gb/gprs_bssgp_bss.c index 77350e27..bef9bb11 100644 --- a/src/gb/gprs_bssgp_bss.c +++ b/src/gb/gprs_bssgp_bss.c @@ -183,10 +183,16 @@ int bssgp_tx_radio_status_imsi(struct bssgp_bvc_ctx *bctx, uint8_t cause, if (!msg) return -ENOMEM; - +/* gsm48_generate_mid_from_imsi() is guaranteed to never return more than 11, + * but somehow gcc (8.2) is not smart enough to figure this out and claims that + * the memcpy in msgb_tvlv_put() below will cause and out-of-bounds access up to + * mi[131], which is wrong */ +#pragma GCC diagnostic push +#pragma GCC diagnostic ignored "-Warray-bounds" /* strip the MI type and length values (2 bytes) */ if (imsi_len > 2) msgb_tvlv_put(msg, BSSGP_IE_IMSI, imsi_len-2, mi+2); +#pragma GCC diagnostic pop LOGPC(DBSSGP, LOGL_NOTICE, "IMSI=%s ", imsi); return common_tx_radio_status2(msg, cause); |