From: Harald Welte <laforge@gnumonks.org>
Date: Sat, 16 Jul 2011 15:41:02 +0000 (+0200)
Subject: settings.h: IMSI is 15 bytes +1 \0 maximum
X-Git-Url: http://git.rot13.org/?a=commitdiff_plain;h=48db968916514a9950fd1f8d43bbf389c39b1d53;p=osmocom-bb.git

settings.h: IMSI is 15 bytes +1 \0 maximum

If we use a larger field to store the IMSI, we can create overflows when
copying the imsi to other structures that are only 16 bytes in size.

Detected by Smatch:
src/host/layer23/src/mobile/subscriber.c +195 gsm_subscr_testcard(39) error: strcpy() 'set->test_imsi' too large for 'subscr->imsi' (20 vs 16)
---

diff --git a/src/host/layer23/include/osmocom/bb/mobile/settings.h b/src/host/layer23/include/osmocom/bb/mobile/settings.h
index 7fa6089..20a8692 100644
--- a/src/host/layer23/include/osmocom/bb/mobile/settings.h
+++ b/src/host/layer23/include/osmocom/bb/mobile/settings.h
@@ -21,10 +21,10 @@ struct gsm_settings {
 
 	/* SIM */
 	int			sim_type; /* selects card on power on */
-	char 			emergency_imsi[20]; /* just in case... */
+	char 			emergency_imsi[16];
 
 	/* test card simulator settings */
-	char 			test_imsi[20]; /* just in case... */
+	char 			test_imsi[16];
 	uint32_t		test_tmsi;
 	uint8_t			test_ki_type;
 	uint8_t			test_ki[16]; /* 128 bit max */