Skip to content
Snippets Groups Projects
Commit 3b96a7ac authored by DONG Anyuan's avatar DONG Anyuan
Browse files

Fix Coverity Scan CID 60241 (Passing &eplmn to function emm_proc_attach_accept... 

Fix Coverity Scan CID 60241 (Passing &eplmn to function emm_proc_attach_accept which uses it as an array. This might corrupt or misinterpret adjacent memory locations.)
parent 7cf75c6d
No related branches found
No related tags found
4 merge requests!650Release v1.1.0 Candidate,!620Resolve "Coverity Scan Fix (Week25)",!617Develop: Integration 2019 Week 25,!588Develop nr merge
Hide whitespace changes
Inline Side-by-side
openair3/NAS/UE/EMM/SAP/emm_recv.c
+ 8
8
View file @ 3b96a7ac
...@@ -211,21 +211,21 @@ int emm_recv_attach_accept(nas_user_t *user, attach_accept_msg *msg, int *emm_ca ...@@ -211,21 +211,21 @@ int emm_recv_attach_accept(nas_user_t *user, attach_accept_msg *msg, int *emm_ca
/* Get the list of equivalent PLMNs */ /* Get the list of equivalent PLMNs */
int n_eplmns = 0; int n_eplmns = 0;
plmn_t eplmn; plmn_t eplmn[1];
if (msg->presencemask & ATTACH_ACCEPT_EQUIVALENT_PLMNS_PRESENT) { if (msg->presencemask & ATTACH_ACCEPT_EQUIVALENT_PLMNS_PRESENT) {
n_eplmns = 1; n_eplmns = 1;
eplmn.MCCdigit1 = msg->equivalentplmns.mccdigit1; eplmn[0].MCCdigit1 = msg->equivalentplmns.mccdigit1;
eplmn.MCCdigit2 = msg->equivalentplmns.mccdigit2; eplmn[0].MCCdigit2 = msg->equivalentplmns.mccdigit2;
eplmn.MCCdigit3 = msg->equivalentplmns.mccdigit3; eplmn[0].MCCdigit3 = msg->equivalentplmns.mccdigit3;
eplmn.MNCdigit1 = msg->equivalentplmns.mncdigit1; eplmn[0].MNCdigit1 = msg->equivalentplmns.mncdigit1;
eplmn.MNCdigit2 = msg->equivalentplmns.mncdigit2; eplmn[0].MNCdigit2 = msg->equivalentplmns.mncdigit2;
eplmn.MNCdigit3 = msg->equivalentplmns.mncdigit3; eplmn[0].MNCdigit3 = msg->equivalentplmns.mncdigit3;
} }
/* Execute attach procedure accepted by the network */ /* Execute attach procedure accepted by the network */
rc = emm_proc_attach_accept(user, T3412, T3402, T3423, n_tais, tai, pguti, rc = emm_proc_attach_accept(user, T3412, T3402, T3423, n_tais, tai, pguti,
n_eplmns, &eplmn, n_eplmns, eplmn,
&msg->esmmessagecontainer.esmmessagecontainercontents); &msg->esmmessagecontainer.esmmessagecontainercontents);
  • Cédric Roux @Cedric.Roux ·
    Developer

    Dear @donganyuan, I don't think the original code is wrong. Your fix makes the code a bit strange. An array of size 1 is strange. So, if possible, it would maybe better to flag this problem in coverity scan as a "false positive". What do you think? Do you agree with my remark? Can we flag this problem as a "false positive" in coverity scan?

    Edited by Cédric Roux
  • DONG Anyuan @donganyuan ·
    Author Developer

    Dear @Cedric.Roux , thanks for your comment. As for CID 60241, the original variable 'plmn_t *eplmn' is a pointer given by &eplmn. But the emm_proc_attach_accept() function is handling this pointer as array. That's why Coverity Scan complains. Coverity Scan thinks it might corrupt or cause other problems.

    However, there's another variable 'int n_eplmns' in the function emm_proc_attach_accept(). Even if pointer 'plmn_t *eplmn' is used as array, it will be OK, because n_eplmns is used as index of array , and eplmn[i] will be checked by ' i < n_eplmns' in 'for' loop, it will not corrupt.

    So, I agree with you. we could ignore this defect and flag it as a "false positive" .

  • Please register or sign in to reply
LOG_FUNC_RETURN (rc); LOG_FUNC_RETURN (rc);
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment