From patchwork Tue Apr 7 15:49:49 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jacob Erlbeck X-Patchwork-Id: 458703 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.osmocom.org (unknown [IPv6:2a01:4f8:191:444b::2:7]) by ozlabs.org (Postfix) with ESMTP id 66DE21401DD for ; Wed, 8 Apr 2015 01:51:08 +1000 (AEST) Received: from lists.osmocom.org (lists.osmocom.org [144.76.43.76]) by lists.osmocom.org (Postfix) with ESMTP id 74C112C03; Tue, 7 Apr 2015 15:51:05 +0000 (UTC) X-Original-To: openbsc@lists.osmocom.org Delivered-To: openbsc@lists.osmocom.org Received: from ganesha.gnumonks.org (ganesha.gnumonks.org [213.95.27.120]) by lists.osmocom.org (Postfix) with ESMTP id BED672BFB for ; Tue, 7 Apr 2015 15:51:04 +0000 (UTC) Received: from mail.sysmocom.de ([144.76.43.93]) by ganesha.gnumonks.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from ) id 1YfVmI-0006rW-SG for openbsc@lists.osmocom.org; Tue, 07 Apr 2015 17:51:04 +0200 Received: from sysmocom-tmp.am93.sysmocom.de (ip5b41c286.dynamic.kabel-deutschland.de [91.65.194.134]) by mail.sysmocom.de (Postfix) with ESMTPSA id C0826BBEA9; Tue, 7 Apr 2015 15:50:13 +0000 (UTC) From: Jacob Erlbeck To: openbsc@lists.osmocom.org Subject: [PATCH 3/4] nitb: Check source string length before calling strncpy (Coverity) Date: Tue, 7 Apr 2015 17:49:49 +0200 Message-Id: <1428421790-3423-3-git-send-email-jerlbeck@sysmocom.de> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1428421790-3423-1-git-send-email-jerlbeck@sysmocom.de> References: <1428421790-3423-1-git-send-email-jerlbeck@sysmocom.de> X-Spam-Score: 0.9 (/) X-Spam-Report: SpamASsassin versoin 3.3.1 on ganesha.gnumonks.org summary: Content analysis details: (0.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 2.7 DNS_FROM_AHBL_RHSBL RBL: Envelope sender listed in dnsbl.ahbl.org 0.1 TW_CP BODY: Odd Letter Triples with CP -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0090] X-BeenThere: openbsc@lists.osmocom.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Development of the OpenBSC GSM base station controller List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openbsc-bounces@lists.osmocom.org Sender: "OpenBSC" Currently some VTY command do neither check the length of the source string before calling strncpy nor ensure NUL-termination afterwards. This can to destination string buffers whose contents are not NUL-teminated. This commit adds checks and corresponding warnings to the VTY commands 'subscriber TYPE ID name .NAME" and "subscriber TYPE ID extension EXTENSION". Fixes: Coverity CID 1206570, 1206569 Sponsored-by: On-Waves ehf --- openbsc/src/libmsc/vty_interface_layer3.c | 14 ++++++++++++++ openbsc/tests/vty_test_runner.py | 26 ++++++++++++++++++++++++++ 2 files changed, 40 insertions(+) diff --git a/openbsc/src/libmsc/vty_interface_layer3.c b/openbsc/src/libmsc/vty_interface_layer3.c index 68d9c44..558db5e 100644 --- a/openbsc/src/libmsc/vty_interface_layer3.c +++ b/openbsc/src/libmsc/vty_interface_layer3.c @@ -548,6 +548,13 @@ DEFUN(ena_subscr_name, return CMD_WARNING; } + if (strlen(name) > sizeof(subscr->name)-1) { + vty_out(vty, + "%% NAME is too long, max. %d characters are allowed%s", + sizeof(subscr->name)-1, VTY_NEWLINE); + return CMD_WARNING; + } + strncpy(subscr->name, name, sizeof(subscr->name)); talloc_free(name); db_sync_subscriber(subscr); @@ -574,6 +581,13 @@ DEFUN(ena_subscr_extension, return CMD_WARNING; } + if (strlen(ext) > sizeof(subscr->extension)-1) { + vty_out(vty, + "%% EXTENSION is too long, max. %d characters are allowed%s", + sizeof(subscr->extension)-1, VTY_NEWLINE); + return CMD_WARNING; + } + strncpy(subscr->extension, ext, sizeof(subscr->extension)); db_sync_subscriber(subscr); diff --git a/openbsc/tests/vty_test_runner.py b/openbsc/tests/vty_test_runner.py index 2b7fd19..fb4ca7d 100644 --- a/openbsc/tests/vty_test_runner.py +++ b/openbsc/tests/vty_test_runner.py @@ -286,6 +286,32 @@ class TestVTYNITB(TestVTYGenericBSC): res = self.vty.command('show subscriber imsi '+imsi) self.assert_(res != '% No subscriber found for imsi '+imsi) + def testSubscriberSettings(self): + self.vty.enable() + + imsi = "204300854013739" + wrong_imsi = "204300999999999" + + # Lets create one + res = self.vty.command('subscriber create imsi '+imsi) + self.assert_(res.find(" IMSI: "+imsi) > 0) + + self.vty.verify('subscriber imsi '+wrong_imsi+' name wrong', ['% No subscriber found for imsi '+wrong_imsi]) + res = self.vty.command('subscriber imsi '+imsi+' name '+('X' * 160)) + self.assert_(res.find("NAME is too long") > 0) + + self.vty.verify('subscriber imsi '+imsi+' name '+('G' * 159), ['']) + + self.vty.verify('subscriber imsi '+wrong_imsi+' extension 840', ['% No subscriber found for imsi '+wrong_imsi]) + res = self.vty.command('subscriber imsi '+imsi+' extension '+('9' * 15)) + self.assert_(res.find("EXTENSION is too long") > 0) + + self.vty.verify('subscriber imsi '+imsi+' extension '+('1' * 14), ['']) + + # Delete it + res = self.vty.command('subscriber delete imsi '+imsi) + self.assert_(res != "") + def testShowPagingGroup(self): res = self.vty.command("show paging-group 255 1234567") self.assertEqual(res, "% can't find BTS 255")