From 1c3bae138cea1dbde480ce4382120034eb769e82 Mon Sep 17 00:00:00 2001 From: Harald Welte Date: Sun, 20 Jan 2019 10:37:49 +0100 Subject: constrain gsm48_generate_mid() output array bounds The longest BCd-digit type identity is the IMEISV with 16, so there's no point in trying to parse up to 255 decimal digits, which will do nothing but to overflow the caller-provided output buffer. Let's also clearly define the required minimum size of the output buffer and add a reltead #define for it. Change-Id: Ic8488bc7f77dc9182e372741b88f0f06100dddc9 --- src/gb/gprs_bssgp.c | 4 ++-- src/gb/gprs_bssgp_bss.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) (limited to 'src/gb') diff --git a/src/gb/gprs_bssgp.c b/src/gb/gprs_bssgp.c index 3b9fbf95..be7ef9f1 100644 --- a/src/gb/gprs_bssgp.c +++ b/src/gb/gprs_bssgp.c @@ -1156,7 +1156,7 @@ int bssgp_tx_dl_ud(struct msgb *msg, uint16_t pdu_lifetime, /* IMSI */ if (dup->imsi && strlen(dup->imsi)) { - uint8_t mi[10]; + uint8_t mi[GSM48_MID_MAX_SIZE]; int imsi_len = gsm48_generate_mid_from_imsi(mi, dup->imsi); if (imsi_len > 2) msgb_tvlv_push(msg, BSSGP_IE_IMSI, @@ -1205,7 +1205,7 @@ int bssgp_tx_paging(uint16_t nsei, uint16_t ns_bvci, struct bssgp_normal_hdr *bgph = (struct bssgp_normal_hdr *) msgb_put(msg, sizeof(*bgph)); uint16_t drx_params = osmo_htons(pinfo->drx_params); - uint8_t mi[10]; + uint8_t mi[GSM48_MID_MAX_SIZE]; int imsi_len = gsm48_generate_mid_from_imsi(mi, pinfo->imsi); struct gsm48_ra_id ra; diff --git a/src/gb/gprs_bssgp_bss.c b/src/gb/gprs_bssgp_bss.c index 487286c4..77350e27 100644 --- a/src/gb/gprs_bssgp_bss.c +++ b/src/gb/gprs_bssgp_bss.c @@ -178,7 +178,7 @@ int bssgp_tx_radio_status_imsi(struct bssgp_bvc_ctx *bctx, uint8_t cause, const char *imsi) { struct msgb *msg = common_tx_radio_status(bctx); - uint8_t mi[10]; + uint8_t mi[GSM48_MID_MAX_SIZE]; int imsi_len = gsm48_generate_mid_from_imsi(mi, imsi); if (!msg) -- cgit v1.2.3