neels has submitted this change. (
https://gerrit.osmocom.org/c/osmo-msc/+/20201 )
Change subject: mncc_call: fix memory overrun
......................................................................
mncc_call: fix memory overrun
The struct gsm_mncc which is created and populated in mncc_call_tx_setup_ind
casted to a union mncc_msg* pointer. This leads to a memory overrun
in mncc_call_tx because the union mncc_msg is larger then the gsm_mncc struct.
To fix this, lets just declare a union mncc_msg and populate the signal
member inside it. This can be handed over to mncc_call_tx. The data in
it will look the same, except that the memory will have the proper
lenght (longer).
Change-Id: Ifff28b3375d6bd5e4f837f25c46736952f7bfa9b
Fixes: CID 214330
---
M src/libmsc/mncc_call.c
1 file changed, 9 insertions(+), 8 deletions(-)
Approvals:
Jenkins Builder: Verified
laforge: Looks good to me, approved
diff --git a/src/libmsc/mncc_call.c b/src/libmsc/mncc_call.c
index 9d52952..131620d 100644
--- a/src/libmsc/mncc_call.c
+++ b/src/libmsc/mncc_call.c
@@ -208,24 +208,25 @@
static void mncc_call_tx_setup_ind(struct mncc_call *mncc_call)
{
- struct gsm_mncc mncc_msg = mncc_call->outgoing_req;
- mncc_msg.msg_type = MNCC_SETUP_IND;
- mncc_msg.callref = mncc_call->callref;
+ union mncc_msg mncc_msg;
+ mncc_msg.signal = mncc_call->outgoing_req;
+ mncc_msg.signal.msg_type = MNCC_SETUP_IND;
+ mncc_msg.signal.callref = mncc_call->callref;
- OSMO_STRLCPY_ARRAY(mncc_msg.imsi, mncc_call->vsub->imsi);
+ OSMO_STRLCPY_ARRAY(mncc_msg.signal.imsi, mncc_call->vsub->imsi);
if (!(mncc_call->outgoing_req.fields & MNCC_F_CALLING)) {
/* No explicit calling number set, use the local subscriber */
- mncc_msg.fields |= MNCC_F_CALLING;
- OSMO_STRLCPY_ARRAY(mncc_msg.calling.number,
mncc_call->vsub->msisdn);
+ mncc_msg.signal.fields |= MNCC_F_CALLING;
+ OSMO_STRLCPY_ARRAY(mncc_msg.signal.calling.number,
mncc_call->vsub->msisdn);
}
mncc_call->local_msisdn_present = true;
- mncc_call->local_msisdn = mncc_msg.calling;
+ mncc_call->local_msisdn = mncc_msg.signal.calling;
rate_ctr_inc(&gsmnet->msc_ctrs->ctr[MSC_CTR_CALL_MO_SETUP]);
- mncc_call_tx(mncc_call, (union mncc_msg*)&mncc_msg);
+ mncc_call_tx(mncc_call, &mncc_msg);
}
static void mncc_call_rx_setup_req(struct mncc_call *mncc_call, const struct
gsm_mncc *incoming_req)
--
To view, visit https://gerrit.osmocom.org/c/osmo-msc/+/20201
To unsubscribe, or for help writing mail filters, visit
https://gerrit.osmocom.org/settings
Gerrit-Project: osmo-msc
Gerrit-Branch: master
Gerrit-Change-Id: Ifff28b3375d6bd5e4f837f25c46736952f7bfa9b
Gerrit-Change-Number: 20201
Gerrit-PatchSet: 1
Gerrit-Owner: dexter <[email protected]>
Gerrit-Assignee: neels <[email protected]>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: dexter <[email protected]>
Gerrit-Reviewer: laforge <[email protected]>
Gerrit-Reviewer: neels <[email protected]>
Gerrit-CC: neels <[email protected]>
Gerrit-MessageType: merged
