Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/openbsc-1.3.2+dfsg1/openbsc/contrib/nat/test_regexp.c Examining data/openbsc-1.3.2+dfsg1/openbsc/contrib/testconv/testconv_main.c Examining data/openbsc-1.3.2+dfsg1/openbsc/include/compat_af_isdn.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/mISDNif.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/abis_nm.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/abis_om2000.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/abis_rsl.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/acc_ramp.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/arfcn_range_encode.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/auth.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/bsc_api.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/bsc_msc.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/bsc_msc_data.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/bsc_msg_filter.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/bsc_nat.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/bsc_nat_callstats.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/bsc_nat_sccp.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/bsc_rll.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/bsc_subscriber.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/bss.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/bts_ipaccess_nanobts_omlattr.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/chan_alloc.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/common_bsc.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/common_cs.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/ctrl.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/db.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/debug.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/e1_config.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/gsm_04_08.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/gsm_04_11.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/gsm_04_14.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/gsm_04_80.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/gsm_subscriber.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/gsup_client.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/handover.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/handover_decision.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/ipaccess.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/meas_feed.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/meas_rep.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/mgcp.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/mgcp_internal.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/mgcp_transcode.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/misdn.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/mncc.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/mncc_int.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/nat_rewrite_trie.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/network_listen.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/oap_client.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/openbscdefines.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/osmo_bsc.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/osmo_bsc_grace.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/osmo_bsc_rf.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/osmo_msc.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/osmux.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/paging.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/pcu_if.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/pcuif_proto.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/rest_octets.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/rrlp.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/rs232.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/rtp_proxy.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/silent_call.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/smpp.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/sms_queue.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/socket.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/system_information.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/token_auth.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/transaction.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/trau_mux.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/trau_upqueue.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/ussd.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/vty.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/signal.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/gsm_data.h Examining data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/gsm_data_shared.h Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm_ipaccess.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm_vty.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_om2000.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_rsl.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/acc_ramp.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/arfcn_range_encode.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_api.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_ctrl_commands.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_ctrl_lookup.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_dyn_ts.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_init.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_msc.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_rf_ctrl.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_rll.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bts_ericsson_rbs2000.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bts_init.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bts_ipaccess_nanobts.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bts_ipaccess_nanobts_omlattr.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bts_nokia_site.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bts_siemens_bs11.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bts_sysmobts.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bts_unknown.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/chan_alloc.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/e1_config.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/gsm_04_08_utils.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/gsm_04_80_utils.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/handover_decision.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/handover_logic.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/meas_proc.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/meas_rep.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/net_init.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/paging.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/rest_octets.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/system_information.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/pcu_sock.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_om2000_vty.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_subscriber.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libcommon-cs/common_cs.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libcommon-cs/common_cs_vty.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libcommon/bsc_version.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libcommon/common_vty.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libcommon/debug.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libcommon/gsm_data.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libcommon/gsm_data_shared.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libcommon/gsm_subscriber_base.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libcommon/gsup_client.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libcommon/gsup_test_client.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libcommon/oap_client.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libcommon/socket.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libcommon/talloc_ctx.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libfilter/bsc_msg_acc.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libfilter/bsc_msg_filter.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libfilter/bsc_msg_vty.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/g711common.h Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_network.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_osmux.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_protocol.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_sdp.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_transcode.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_vty.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/auth.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/ctrl_commands.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/db.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/gsm_04_08.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/gsm_04_11.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/gsm_04_14.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/gsm_04_80.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/gsm_subscriber.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/meas_feed.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/meas_feed.h Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/mncc.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/mncc_builtin.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/mncc_sock.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/osmo_msc.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/rrlp.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/silent_call.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/smpp_openbsc.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/smpp_smsc.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/smpp_smsc.h Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/smpp_utils.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/smpp_vty.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/sms_queue.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/token_auth.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/transaction.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/ussd.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/vty_interface_layer3.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libtrau/rtp_proxy.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libtrau/trau_mux.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/libtrau/trau_upqueue.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc/osmo_bsc_api.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc/osmo_bsc_audio.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc/osmo_bsc_bssap.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc/osmo_bsc_ctrl.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc/osmo_bsc_filter.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc/osmo_bsc_grace.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc/osmo_bsc_main.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc/osmo_bsc_msc.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc/osmo_bsc_sccp.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc/osmo_bsc_vty.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_mgcp/mgcp_main.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_filter.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_mgcp_utils.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_ctrl.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_filter.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_rewrite.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_rewrite_trie.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_utils.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_vty.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_sccp.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_ussd.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-nitb/bsc_hack.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/utils/bs11_config.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/utils/isdnsync.c Examining data/openbsc-1.3.2+dfsg1/openbsc/src/utils/smpp_mirror.c Examining data/openbsc-1.3.2+dfsg1/openbsc/tests/abis/abis_test.c Examining data/openbsc-1.3.2+dfsg1/openbsc/tests/bsc-nat-trie/bsc_nat_trie_test.c Examining data/openbsc-1.3.2+dfsg1/openbsc/tests/bsc-nat/bsc_data.c Examining data/openbsc-1.3.2+dfsg1/openbsc/tests/bsc-nat/bsc_nat_test.c Examining data/openbsc-1.3.2+dfsg1/openbsc/tests/bsc/bsc_test.c Examining data/openbsc-1.3.2+dfsg1/openbsc/tests/channel/channel_test.c Examining data/openbsc-1.3.2+dfsg1/openbsc/tests/db/db_test.c Examining data/openbsc-1.3.2+dfsg1/openbsc/tests/gsm0408/gsm0408_test.c Examining data/openbsc-1.3.2+dfsg1/openbsc/tests/mgcp/mgcp_test.c Examining data/openbsc-1.3.2+dfsg1/openbsc/tests/mgcp/mgcp_transcoding_test.c Examining data/openbsc-1.3.2+dfsg1/openbsc/tests/mm_auth/mm_auth_test.c Examining data/openbsc-1.3.2+dfsg1/openbsc/tests/nanobts_omlattr/nanobts_omlattr_test.c Examining data/openbsc-1.3.2+dfsg1/openbsc/tests/smpp/smpp_test.c Examining data/openbsc-1.3.2+dfsg1/openbsc/tests/subscr/bsc_subscr_test.c Examining data/openbsc-1.3.2+dfsg1/openbsc/tests/subscr/subscr_test.c Examining data/openbsc-1.3.2+dfsg1/openbsc/tests/trau/trau_test.c FINAL RESULTS: data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm.c:1191:3: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy((char *)sw->file_id, file_id); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm.c:1193:3: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy((char *)sw->file_version, file_version); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_om2000.c:2491:2: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(string, "Fault Report: %s (", data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/db.c:1444:2: [4] (format) sprintf: Potential format string problem (CWE-134). Make format string constant. sprintf(subscriber->extension, "%"PRIu64, try); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/smpp_smsc.c:145:2: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(acl->system_id, sys_id); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/smpp_vty.c:159:2: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(smsc->system_id, argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/smpp_vty.c:264:2: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(acl->passwd, argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/token_auth.c:45:2: [4] (format) snprintf: If format strings can be influenced by an attacker, they can be exploited, and note that sprintf variations do not always \0-terminate (CWE-134). Use a constant for the format specification. snprintf(sms_str, len, TOKEN_SMS_TEXT, subscr->imsi, token, data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_mgcp_utils.c:891:8: [4] (buffer) sscanf: The scanf() family's %s operation, without a limit specification, permits buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a different input function. ret = sscanf(tok, "%*s %s", buf); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_mgcp_utils.c:903:9: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. slen = sprintf((char *) output->l3h, "%s %s %x@mgw MGCP 1.0%s%s", data/openbsc-1.3.2+dfsg1/openbsc/tests/db/db_test.c:178:2: [4] (format) snprintf: If format strings can be influenced by an attacker, they can be exploited, and note that sprintf variations do not always \0-terminate (CWE-134). Use a constant for the format specification. snprintf(scratch_str, sizeof(scratch_str), "%"PRIu32, alice->tmsi); data/openbsc-1.3.2+dfsg1/openbsc/tests/mgcp/mgcp_test.c:429:12: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. int len = sprintf((char *)msg->data, "%s", str); data/openbsc-1.3.2+dfsg1/openbsc/tests/mm_auth/mm_auth_test.c:21:7: [4] (format) snprintf: If format strings can be influenced by an attacker, they can be exploited, and note that sprintf variations do not always \0-terminate (CWE-134). Use a constant for the format specification. l = snprintf(pos, len, FMT, ## args); \ data/openbsc-1.3.2+dfsg1/openbsc/tests/subscr/bsc_subscr_test.c:36:3: [4] (format) printf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. printf(#val " == " fmt "\n", (val)); \ data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_osmux.c:493:12: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. (random() % rtp_ssrc_winlen)); data/openbsc-1.3.2+dfsg1/openbsc/src/libtrau/rtp_proxy.c:218:27: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. rs->transmit.sequence = random(); data/openbsc-1.3.2+dfsg1/openbsc/src/libtrau/rtp_proxy.c:219:28: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. rs->transmit.timestamp = random(); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc/osmo_bsc_main.c:111:7: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. c = getopt_long(argc, argv, "hd:DsTVc:e:r:t", data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc/osmo_bsc_main.c:230:2: [3] (random) srand: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. srand(time(NULL)); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_mgcp/mgcp_main.c:105:7: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. c = getopt_long(argc, argv, "hc:sVD", long_options, &option_index); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_mgcp/mgcp_main.c:296:2: [3] (random) srand: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. srand(time(NULL)); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat.c:1496:7: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. c = getopt_long(argc, argv, "hd:sTVPc:m:l:D", data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat.c:1667:2: [3] (random) srand: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. srand(time(NULL)); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-nitb/bsc_hack.c:136:7: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. c = getopt_long(argc, argv, "hd:Dsl:ar:p:TPVc:e:mCr:M:", data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-nitb/bsc_hack.c:350:2: [3] (random) srand: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. srand(time(NULL)); data/openbsc-1.3.2+dfsg1/openbsc/src/utils/bs11_config.c:811:7: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. c = getopt_long(argc, argv, "hp:s:S:td:Dw:fra:", data/openbsc-1.3.2+dfsg1/openbsc/tests/gsm0408/gsm0408_test.c:450:2: [3] (random) srandom: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. srandom(1); data/openbsc-1.3.2+dfsg1/openbsc/tests/gsm0408/gsm0408_test.c:462:16: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. min_freq = random() % (1023 - range); data/openbsc-1.3.2+dfsg1/openbsc/tests/gsm0408/gsm0408_test.c:465:28: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. int arfcn = min_freq + random() % (range + 1); data/openbsc-1.3.2+dfsg1/openbsc/tests/trau/trau_test.c:75:2: [3] (random) srandom: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. srandom(42); data/openbsc-1.3.2+dfsg1/openbsc/tests/trau/trau_test.c:77:13: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. data[i] = random(); data/openbsc-1.3.2+dfsg1/openbsc/contrib/testconv/testconv_main.c:41:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[4096] = {0x80, 0}; data/openbsc-1.3.2+dfsg1/openbsc/contrib/testconv/testconv_main.c:72:17: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). out_samples = atoi(argv[3]); data/openbsc-1.3.2+dfsg1/openbsc/include/mISDNif.h:292:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char name[MISDN_MAX_IDLEN]; data/openbsc-1.3.2+dfsg1/openbsc/include/mISDNif.h:297:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char name[MISDN_MAX_IDLEN]; data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/bsc_nat.h:395:35: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. int bsc_mgcp_parse_response(const char *str, int *code, char transaction[60]); data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/bsc_nat.h:395:57: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. int bsc_mgcp_parse_response(const char *str, int *code, char transaction[60]); data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/bsc_nat_sccp.h:91:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char ussd_ti[8]; data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/bsc_subscriber.h:16:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char imsi[GSM23003_IMSI_MAX_DIGITS+1]; data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/gsm_data.h:457:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char addr[21+1]; data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/gsm_data.h:475:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char msg_id[16]; data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/gsm_data.h:490:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char text[SMS_TEXT_SIZE]; data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/gsm_data_shared.h:709:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char version[MAX_VERSION_LENGTH]; data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/gsm_data_shared.h:710:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char sub_model[MAX_VERSION_LENGTH]; data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/gsm_data_shared.h:717:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char pcu_version[MAX_VERSION_LENGTH]; data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/gsm_subscriber.h:34:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char imei[GSM23003_IMEISV_NUM_DIGITS+1]; data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/gsm_subscriber.h:35:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char name[GSM_NAME_LENGTH]; data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/gsm_subscriber.h:47:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char imsi[GSM23003_IMSI_MAX_DIGITS+1]; data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/gsm_subscriber.h:50:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char name[GSM_NAME_LENGTH]; data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/gsm_subscriber.h:51:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char extension[GSM_EXTENSION_LENGTH]; data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/ipaccess.h:15:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char imsi[GSM23003_IMSI_MAX_DIGITS+1]; data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/meas_feed.h:16:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char imsi[15+1]; data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/meas_feed.h:17:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char name[31+1]; data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/meas_feed.h:18:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char scenario[31+1]; data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/mncc.h:157:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char imsi[16]; data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/mncc.h:166:11: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char data[0]; data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/nat_rewrite_trie.h:32:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char prefix[14]; data/openbsc-1.3.2+dfsg1/openbsc/include/openbsc/nat_rewrite_trie.h:33:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char rewrite[6]; data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm.c:570:45: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. if (!handle_attr(bts, str2btsattr((const char *)sw_descr[i].file_id), data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm.c:992:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char next_seg_buf[256]; data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm.c:1018:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char seg_buf[256]; data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm.c:1115:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char magic[4]; data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm.c:1116:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char more_magic[4]; data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm.c:1169:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char file_id[12+1]; data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm.c:1170:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char file_version[80+1]; data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm.c:1173:11: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). sw->fd = open(fname, O_RDONLY); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm.c:1206:3: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy((char *)sw->file_id, "id"); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm.c:1208:3: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy((char *)sw->file_version, "version"); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm.c:1624:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(cur, attr, attr_len); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm.c:1642:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(cur, attr, attr_len); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm.c:1893:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(ptr, attr, att_len); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm.c:1910:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(data, rawmsg, len); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm.c:2080:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(cur, attr, attr_len); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm.c:2338:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char swl_fname[PATH_MAX]; data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm.c:2348:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char fname[PATH_MAX]; data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm.c:2366:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char linebuf[255]; data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm.c:2371:8: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). swl = fopen(bs11_sw->swl_fname, "r"); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm.c:2382:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char file_id[12+1]; data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm.c:2383:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char file_version[80+1]; data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm.c:2385:10: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char dir[PATH_MAX]; data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm.c:2709:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(data, ipaccess_magic, sizeof(ipaccess_magic)); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm.c:2721:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(data, attr, attr_len); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm.c:2793:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&_buf->rac, &ci, sizeof(ci)); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm_vty.c:95:15: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int bts_nr = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm_vty.c:109:21: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). oms->obj_inst[0] = atoi(argv[2]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm_vty.c:110:21: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). oms->obj_inst[1] = atoi(argv[3]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm_vty.c:111:21: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). oms->obj_inst[2] = atoi(argv[4]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm_vty.c:129:15: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int bts_nr = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm_vty.c:142:19: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). oms->obj_class = atoi(argv[1]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm_vty.c:143:21: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). oms->obj_inst[0] = atoi(argv[2]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm_vty.c:144:21: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). oms->obj_inst[1] = atoi(argv[3]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm_vty.c:145:21: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). oms->obj_inst[2] = atoi(argv[4]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_om2000.c:788:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char mo_buf[64]; data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_om2000.c:1833:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char idbuf[64]; data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_om2000.c:2096:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char idbuf[32]; data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_om2000.c:2311:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char idbuf[16]; data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_om2000.c:2384:4: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(iwd_v->gen_char, cur, 3); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_om2000.c:2386:4: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(iwd_v->rev_char, cur, 3); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_om2000.c:2407:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(out_cur, last_v->gen_char, 3); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_om2000.c:2409:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(out_cur, last_v->rev_char, 3); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_om2000.c:2482:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char string[255]; data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_om2000.c:2499:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(string + strlen(string), "%d", k + i*8); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_om2000.c:2505:2: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(string + strlen(string), ")\n"); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_om2000_vty.c:92:15: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int bts_nr = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_om2000_vty.c:112:16: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). oms->mo.bts = atoi(argv[2]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_om2000_vty.c:113:21: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). oms->mo.assoc_so = atoi(argv[3]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_om2000_vty.c:114:17: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). oms->mo.inst = atoi(argv[4]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_om2000_vty.c:132:15: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int bts_nr = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_om2000_vty.c:145:18: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). oms->mo.class = atoi(argv[1]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_om2000_vty.c:146:16: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). oms->mo.bts = atoi(argv[2]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_om2000_vty.c:147:21: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). oms->mo.assoc_so = atoi(argv[3]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_om2000_vty.c:148:17: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). oms->mo.inst = atoi(argv[4]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_om2000_vty.c:232:13: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int oper = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_om2000_vty.c:324:17: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). uint8_t cgid = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_om2000_vty.c:352:17: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). uint8_t cgid = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_om2000_vty.c:381:17: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). uint16_t ccp = atoi(argv[1]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_om2000_vty.c:382:15: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). uint8_t ci = atoi(argv[2]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_om2000_vty.c:383:16: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). uint8_t tei = atoi(argv[3]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_om2000_vty.c:403:17: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). uint16_t ccp = atoi(argv[1]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_om2000_vty.c:404:15: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). uint8_t ci = atoi(argv[2]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_om2000_vty.c:405:16: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). uint8_t tag = atoi(argv[3]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_om2000_vty.c:450:18: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). uint16_t icp1 = atoi(argv[1]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_om2000_vty.c:451:18: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). uint16_t icp2 = atoi(argv[2]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_om2000_vty.c:452:15: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). uint8_t ci = atoi(argv[3]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_rsl.c:186:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(out, in, len); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_rsl.c:197:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(out, lchan->encr.key, lchan->encr.key_len); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_rsl.c:1905:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(lchan->rqd_ref, rqd_ref, sizeof(*rqd_ref)); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_rsl.c:1952:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(ia->mob_alloc, lchan->ts->hopping.ma_data, ia->mob_alloc_len); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_api.c:734:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(conn->lchan->encr.key, key, len); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_ctrl_commands.c:403:15: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int locked = atoi(cmd->value); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_ctrl_commands.c:406:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char now_buf[64]; data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_ctrl_commands.c:439:15: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int locked = atoi(cmd->value); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_ctrl_commands.c:461:12: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int tmp = atoi(value); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_ctrl_commands.c:484:23: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). trx->max_power_red = atoi(cmd->value); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_rf_ctrl.c:307:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[1]; data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_subscriber.c:116:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char buf[32]; data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:364:12: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). bts_nr = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:384:19: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). e1_link->e1_nr = atoi(line); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:385:19: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). e1_link->e1_ts = atoi(ts); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:389:23: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). e1_link->e1_ts_ss = atoi(ss); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:937:12: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). bts_nr = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:946:12: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). trx_nr = atoi(argv[1]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:1008:12: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). bts_nr = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:1017:12: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). trx_nr = atoi(argv[1]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:1026:11: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). ts_nr = atoi(argv[2]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:1309:12: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). bts_nr = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:1321:12: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). trx_nr = atoi(argv[1]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:1333:11: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). ts_nr = atoi(argv[2]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:1345:14: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). lchan_nr = atoi(argv[3]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:1417:12: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). bts_nr = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:1445:15: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int bts_nr = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:1474:17: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). gsmnet->neci = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:1487:15: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int enable = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:1514:35: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). gsmnet->handover.win_rxlev_avg = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:1525:36: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). gsmnet->handover.win_rxqual_avg = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:1536:41: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). gsmnet->handover.win_rxlev_avg_neigh = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:1547:34: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). gsmnet->handover.pwr_interval = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:1558:36: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). gsmnet->handover.pwr_hysteresis = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:1569:34: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). gsmnet->handover.max_distance = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:1582:24: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). gsmnet->pag_any_tch = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:1606:11: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). value = atoi(argv[0]); \ data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:1643:15: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int bts_nr = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:1767:11: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int ci = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:1785:12: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int lac = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:1821:13: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int bsic = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:1842:16: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int site_id = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:1843:15: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int bts_id = atoi(argv[1]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:1893:26: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). bts->nokia.skip_reset = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:1913:30: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). bts->nokia.no_loc_rel_cnf = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:1933:35: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). bts->nokia.bts_reset_timer_cnf = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:1948:18: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int stream_id = atoi(argv[0]), linenr = atoi(argv[1]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:1948:42: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int stream_id = atoi(argv[0]), linenr = atoi(argv[1]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:1997:17: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). bts->oml_tei = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:2029:43: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). bts->si_common.rach_control.tx_integer = atoi(argv[0]) & 0xf; data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:2045:65: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). bts->si_common.rach_control.max_trans = rach_max_trans_val2raw(atoi(argv[0])); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:2060:33: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). bts->si_common.chan_desc.att = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:2072:20: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int bs_pa_mfrms = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:2086:23: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int bs_ag_blks_res = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:2103:23: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). bts->rach_b_thresh = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:2116:26: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). bts->rach_ldavg_slots = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:2130:41: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). bts->si_common.rach_control.cell_bar = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:2146:6: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). if (atoi(argv[0]) == 0) data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:2184:18: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). control_class = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:2208:22: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). bts->ms_max_power = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:2223:48: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). bts->si_common.cell_sel_par.cell_resel_hyst = atoi(argv[0])/2; data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:2237:46: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). bts->si_common.cell_sel_par.rxlev_acc_min = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:2250:39: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). bts->si_common.cell_ro_sel_par.cbq = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:2265:50: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). bts->si_common.cell_ro_sel_par.cell_resel_off = atoi(argv[0])/2; data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:2279:45: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). bts->si_common.cell_ro_sel_par.temp_offs = atoi(argv[0])/10; data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:2307:49: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). bts->si_common.cell_ro_sel_par.penalty_time = (atoi(argv[0])-20)/20; data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:2337:35: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). bts->si_common.chan_desc.t3212 = atoi(argv[0]) / 6; data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:2363:38: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). gsm_bts_set_radio_link_timeout(bts, atoi(argv[0])); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:2402:24: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). bts->gprs.cell.bvci = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:2420:23: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). bts->gprs.nse.nsei = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:2435:12: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int idx = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:2442:30: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). bts->gprs.nsvc[idx].nsvci = atoi(argv[1]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:2456:12: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int idx = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:2463:35: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). bts->gprs.nsvc[idx].local_port = atoi(argv[1]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:2477:12: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int idx = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:2484:36: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). bts->gprs.nsvc[idx].remote_port = atoi(argv[1]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:2497:12: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int idx = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:2519:32: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). bts->paging.free_chans_need = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:2531:12: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int val = atoi(argv[1]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:2568:12: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int val = atoi(argv[1]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:2597:18: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). bts->gprs.rac = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:2651:27: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). bts->gprs.net_ctrl_ord = atoi(argv[0] + 2); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:2687:40: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). bts->gprs.supports_egprs_11bit_rach = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:2856:19: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). uint16_t arfcn = atoi(argv[1]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:2887:19: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). uint16_t arfcn = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:2888:22: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). uint8_t thresh_hi = atoi(argv[1]), thresh_lo = atoi(argv[2]), data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:2888:49: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). uint8_t thresh_hi = atoi(argv[1]), thresh_lo = atoi(argv[2]), data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:2889:10: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). prio = atoi(argv[3]), qrx = atoi(argv[4]), meas = atoi(argv[5]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:2889:31: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). prio = atoi(argv[3]), qrx = atoi(argv[4]), meas = atoi(argv[5]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:2889:53: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). prio = atoi(argv[3]), qrx = atoi(argv[4]), meas = atoi(argv[5]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:2936:19: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). uint16_t arfcn = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:2955:19: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). uint16_t arfcn = atoi(argv[0]), scramble = atoi(argv[1]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:2955:45: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). uint16_t arfcn = atoi(argv[0]), scramble = atoi(argv[1]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:2957:46: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). switch(bts_uarfcn_add(bts, arfcn, scramble, atoi(argv[2]))) { data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:2984:26: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). if (bts_uarfcn_del(bts, atoi(argv[0]), atoi(argv[1])) < 0) { data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:2984:41: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). if (bts_uarfcn_del(bts, atoi(argv[0]), atoi(argv[1])) < 0) { data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:3002:19: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). uint16_t arfcn = atoi(argv[1]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:3089:53: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). error = acc_ramp_set_step_interval(&bts->acc_ramp, atoi(argv[0])); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:3112:49: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). error = acc_ramp_set_step_size(&bts->acc_ramp, atoi(argv[0])); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:3241:12: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int dep = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:3273:12: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int dep = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:3296:27: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). mr->gsm48_ie[1] |= 1 << atoi(argv[i]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:3309:24: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). modes[i].threshold = atoi(argv[i + 1]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:3321:25: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). modes[i].hysteresis = atoi(argv[i + 1]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:3342:13: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). if (num < atoi(argv[0])) data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:3345:20: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). mr_conf->smod = atoi(argv[0]) - 1; data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:3564:15: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int trx_nr = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:3594:14: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int arfcn = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:3617:23: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). trx->nominal_power = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:3628:17: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int maxpwr_r = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:3684:17: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). trx->rsl_tei = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:3696:15: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int locked = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:3710:14: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int ts_nr = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:3780:12: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). ts->tsc = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:3794:16: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int enabled = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:3816:20: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). ts->hopping.hsn = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:3830:21: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). ts->hopping.maio = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:3842:14: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int arfcn = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:3856:14: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int arfcn = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:3921:11: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). bts_nr = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:3968:11: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). bts_nr = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:4006:11: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). bts_nr = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:4033:15: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int bts_nr = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:4034:19: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int last_block = atoi(argv[1]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:4078:15: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int bts_nr = atoi(bts_str); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:4079:15: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int trx_nr = atoi(trx_str); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:4080:14: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int ts_nr = atoi(ts_str); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:4198:14: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int ss_nr = atoi(argv[3]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:4242:15: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). amr_mode = atoi(argv[6]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:4264:14: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int ss_nr = atoi(argv[3]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:4265:13: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int port = atoi(argv[5]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:4296:42: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. ctrl_cmd_send_trap(net->ctrl, argv[0], (char *) argv[1]); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bts_ipaccess_nanobts_omlattr.c:29:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(data, &val, sizeof(val)); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bts_ipaccess_nanobts_omlattr.c:34:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(data, &val, sizeof(val)); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bts_ipaccess_nanobts_omlattr.c:44:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(buf, "\x55\x5b\x61\x67\x6d\x73", 6); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bts_ipaccess_nanobts_omlattr.c:62:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(buf, "\x1e\x24\x24\xa8\x34\x21\xa8", 7); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bts_ipaccess_nanobts_omlattr.c:68:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(buf, "\x00\x01\x0a", 3); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bts_ipaccess_nanobts_omlattr.c:123:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(buf, bts->gprs.nse.timer, ARRAY_SIZE(bts->gprs.nse.timer)); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bts_ipaccess_nanobts_omlattr.c:140:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(buf, bts->gprs.cell.timer, ARRAY_SIZE(bts->gprs.cell.timer)); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bts_nokia_site.c:701:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(fu_config, fu_config_template, sizeof(fu_config_template)); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bts_nokia_site.c:996:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(fu_config, bts_config_insite, sizeof(bts_config_insite)); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bts_nokia_site.c:1004:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(fu_config + len, bts_config_1, sizeof(bts_config_1)); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bts_nokia_site.c:1013:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(fu_config + len, bts_config_2, sizeof(bts_config_2)); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bts_nokia_site.c:1021:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(fu_config + len, bts_config_3, sizeof(bts_config_3)); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bts_nokia_site.c:1026:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(fu_config + len, bts_config_4, sizeof(bts_config_4)); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bts_nokia_site.c:1071:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(noh->data, data, len_data); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bts_nokia_site.c:1193:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(noh->data, data, len_to_send); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bts_nokia_site.c:1208:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(oh->data, data, len_to_send); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bts_nokia_site.c:1232:4: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(oh->data, data, len_to_send); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bts_nokia_site.c:1368:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char indent[100] = ""; /* TODO: move static to BTS context */ data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bts_nokia_site.c:1401:4: [2] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant string. strcat(indent, " "); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/gsm_04_08_utils.c:161:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(network->ctype_by_chreq, ctype_by_chreq, sizeof(ctype_by_chreq)); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/gsm_04_08_utils.c:406:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(lv + 1, mr->gsm48_ie, 2); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/gsm_04_08_utils.c:456:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(cur, si1->cell_channel_description, data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/handover_logic.c:136:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&new_lchan->mr_ms_lv, &old_lchan->mr_ms_lv, ARRAY_SIZE(new_lchan->mr_ms_lv)); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/handover_logic.c:137:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&new_lchan->mr_bts_lv, &old_lchan->mr_bts_lv, ARRAY_SIZE(new_lchan->mr_bts_lv)); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/pcu_sock.c:163:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(info_ind->nse_timer, bts->gprs.nse.timer, 7); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/pcu_sock.c:164:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(info_ind->cell_timer, bts->gprs.cell.timer, 11); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/pcu_sock.c:364:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char imsi_digit_buf[4]; data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/pcu_sock.c:394:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(msg->l3h, data_req->data, data_req->len); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/pcu_sock.c:417:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(msg->l3h, data_req->data + 4, data_req->len - 4); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/system_information.c:1182:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&si_info.selection_params, data/openbsc-1.3.2+dfsg1/openbsc/src/libcommon-cs/common_cs_vty.c:165:25: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). gsmnet->reject_cause = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libcommon-cs/common_cs_vty.c:180:26: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). gsmnet->a5_encryption = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libcommon-cs/common_cs_vty.c:209:25: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). gsmnet->send_mm_info = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libcommon-cs/common_cs_vty.c:222:31: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). gsmnet->dyn_ts_allow_tch_f = atoi(argv[0]) ? true : false; data/openbsc-1.3.2+dfsg1/openbsc/src/libcommon-cs/common_cs_vty.c:233:38: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). gsmnet->subscr_group->keep_subscr = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libcommon-cs/common_cs_vty.c:249:13: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int tzhr = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libcommon-cs/common_cs_vty.c:250:13: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int tzmn = atoi(argv[1]); data/openbsc-1.3.2+dfsg1/openbsc/src/libcommon-cs/common_cs_vty.c:273:13: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int tzhr = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libcommon-cs/common_cs_vty.c:274:13: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int tzmn = atoi(argv[1]); data/openbsc-1.3.2+dfsg1/openbsc/src/libcommon-cs/common_cs_vty.c:275:14: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int tzdst = atoi(argv[2]); data/openbsc-1.3.2+dfsg1/openbsc/src/libcommon/gsm_data_shared.c:431:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char ts2str[255]; data/openbsc-1.3.2+dfsg1/openbsc/src/libcommon/gsup_test_client.c:50:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char imsi[17]; data/openbsc-1.3.2+dfsg1/openbsc/src/libcommon/gsup_test_client.c:286:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char imsi_buf[17]; data/openbsc-1.3.2+dfsg1/openbsc/src/libcommon/oap_client.c:123:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(tx_xres, vec.res, 8); data/openbsc-1.3.2+dfsg1/openbsc/src/libfilter/bsc_msg_filter.c:114:28: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). entry->cm_reject_cause = atoi(cfg_entry->mnc); data/openbsc-1.3.2+dfsg1/openbsc/src/libfilter/bsc_msg_filter.c:115:28: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). entry->lu_reject_cause = atoi(cfg_entry->option); data/openbsc-1.3.2+dfsg1/openbsc/src/libfilter/bsc_msg_filter.c:211:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char mi_string[GSM48_MI_SIZE]; data/openbsc-1.3.2+dfsg1/openbsc/src/libfilter/bsc_msg_filter.c:241:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char mi_string[GSM48_MI_SIZE]; data/openbsc-1.3.2+dfsg1/openbsc/src/libfilter/bsc_msg_filter.c:276:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char mi_string[GSM48_MI_SIZE]; data/openbsc-1.3.2+dfsg1/openbsc/src/libfilter/bsc_msg_filter.c:303:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char mi_string[GSM48_MI_SIZE]; data/openbsc-1.3.2+dfsg1/openbsc/src/libfilter/bsc_msg_vty.c:125:28: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). entry->cm_reject_cause = atoi(argv[2]); data/openbsc-1.3.2+dfsg1/openbsc/src/libfilter/bsc_msg_vty.c:127:28: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). entry->lu_reject_cause = atoi(argv[3]); data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_network.c:88:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&out.sin_addr, addr, sizeof(*addr)); data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_network.c:602:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(msg->data, buf, len); data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_network.c:704:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[RTP_BUF_SIZE]; data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_network.c:800:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[RTP_BUF_SIZE]; data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_network.c:867:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[RTP_BUF_SIZE]; data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_osmux.c:49:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&out.sin_addr, &handle->rem_addr, sizeof(handle->rem_addr)); data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_osmux.c:163:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(msg->data, buf, rc); data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_osmux.c:302:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(osmux_cid, &msg->data[1], sizeof(*osmux_cid)); data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_osmux.c:546:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[1 + sizeof(uint8_t)]; data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_osmux.c:550:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&buf[1], &endp->osmux.cid, sizeof(endp->osmux.cid)); data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_protocol.c:135:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(msg->l2h, endp->last_response, msgb_l2len(msg)); data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_protocol.c:272:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char sdp_record[4096]; data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_protocol.c:275:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char osmux_extension[strlen("\nX-Osmux: 255") + 1]; data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_protocol.c:281:3: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(osmux_extension, "\nX-Osmux: %u", endp->osmux.cid); data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_protocol.c:633:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char codec[9]; data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_protocol.c:1038:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char stats[1048]; data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_protocol.c:1411:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[2096]; data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_protocol.c:1439:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[2096]; data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_protocol.c:1471:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[128]; data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_sdp.c:45:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char audio_codec[64]; data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_sdp.c:144:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char audio_codec[64]; data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_sdp.c:168:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char audio_codec[64]; data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_sdp.c:207:4: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char audio_name[64]; data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_sdp.c:248:4: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char ipv4[16]; data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_vty.c:312:22: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). unsigned int port = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_vty.c:330:22: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). unsigned int port = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_vty.c:338:23: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). range->range_start = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_vty.c:339:21: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). range->range_end = atoi(argv[1]); data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_vty.c:458:13: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int dscp = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_vty.c:476:27: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). g_cfg->bts_force_ptime = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_vty.c:530:25: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). unsigned int payload = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_vty.c:603:28: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). g_cfg->trunk.audio_loop = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_vty.c:613:31: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). g_cfg->trunk.force_realloc = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_vty.c:623:34: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). g_cfg->trunk.number_endpoints = atoi(argv[0]) + 1; data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_vty.c:706:42: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). mgcp_trunk_set_keepalive(&g_cfg->trunk, atoi(argv[0])); data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_vty.c:781:34: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). g_cfg->transcoder_remote_base = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_vty.c:790:14: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int index = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_vty.c:876:25: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). unsigned int payload = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_vty.c:914:22: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). trunk->audio_loop = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_vty.c:1049:34: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). mgcp_trunk_set_keepalive(trunk, atoi(argv[0])); data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_vty.c:1105:28: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). trunk = find_trunk(g_cfg, atoi(argv[0])); data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_vty.c:1108:4: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). atoi(argv[0]), VTY_NEWLINE); data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_vty.c:1127:13: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int loop = atoi(argv[2]); data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_vty.c:1157:28: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). trunk = find_trunk(g_cfg, atoi(argv[0])); data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_vty.c:1160:4: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). atoi(argv[0]), VTY_NEWLINE); data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_vty.c:1195:32: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). tap->forward.sin_port = htons(atoi(argv[4])); data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_vty.c:1208:28: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). trunk = find_trunk(g_cfg, atoi(argv[0])); data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_vty.c:1211:4: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). atoi(argv[0]), VTY_NEWLINE); data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_vty.c:1242:28: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). trunk = find_trunk(g_cfg, atoi(argv[0])); data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_vty.c:1245:4: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). atoi(argv[0]), VTY_NEWLINE); data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_vty.c:1325:23: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). g_cfg->osmux_batch = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_vty.c:1334:28: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). g_cfg->osmux_batch_size = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_vty.c:1343:22: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). g_cfg->osmux_port = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_vty.c:1384:32: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). g_cfg->bts_jitter_delay_min = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_vty.c:1403:32: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). g_cfg->bts_jitter_delay_max = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/db.c:240:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[32]; data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/db.c:270:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(sms->user_data, user_data, sms->user_data_len); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/db.c:416:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(sms->user_data, user_data, sms->user_data_len); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/db.c:558:11: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). db_rev = atoi(rev_s); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/db.c:747:9: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). cm1 = atoi(string) & 0xff; data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/db.c:756:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(equip->classmark2, cm2, equip->classmark2_len); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/db.c:763:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(equip->classmark3, cm3, equip->classmark3_len); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/db.c:792:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(ainfo->a3a8_ki, a3a8_ki, ainfo->a3a8_ki_len); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/db.c:883:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(atuple->vec.rand, blob, len); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/db.c:890:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(atuple->vec.sres, blob, len); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/db.c:897:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(atuple->vec.kc, blob, len); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/db.c:1081:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[32]; data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/db.c:1085:2: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(buf, "%llu", subscr->id); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/db.c:1111:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char tmsi[14]; data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/db.c:1123:3: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(tmsi, "%u", subscriber->tmsi); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/db.c:1375:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char tmsi[14]; data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/db.c:1387:3: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(tmsi, "%u", subscriber->tmsi); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/db.c:1504:65: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. int db_subscriber_assoc_imei(struct gsm_subscriber *subscriber, char imei[GSM23003_IMEISV_NUM_DIGITS]) data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/db.c:1678:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(sms->user_data, user_data, sms->user_data_len); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/gsm_04_08.c:229:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&op->atuple, &atuple, sizeof(struct gsm_auth_tuple)); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/gsm_04_08.c:516:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(mid, mi, len); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/gsm_04_08.c:561:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char mi_string[GSM48_MI_SIZE]; data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/gsm_04_08.c:633:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char mi_string[GSM48_MI_SIZE]; data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/gsm_04_08.c:925:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(ar->rand, rand, 16); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/gsm_04_08.c:1003:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char mi_string[GSM48_MI_SIZE]; data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/gsm_04_08.c:1071:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(subscr->equipment.classmark2, classmark2, classmark2_len); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/gsm_04_08.c:1088:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char mi_string[GSM48_MI_SIZE]; data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/gsm_04_08.c:1162:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(res, ar->sres, sizeof(ar->sres)); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/gsm_04_08.c:1214:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(res + 4, &data[2], ie_len); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/gsm_04_08.c:1452:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char mi_string[GSM48_MI_SIZE]; data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/gsm_04_08.c:1498:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(subscr->equipment.classmark2, classmark2_lv+1, *classmark2_lv); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/gsm_04_08.c:1571:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(gh->data+2, apdu, apdu_len); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/gsm_04_08.c:1702:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(data, mncc, sizeof(struct gsm_mncc)); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/gsm_04_08.c:2722:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&trans->cc.msg, disc, sizeof(struct gsm_mncc)); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/gsm_04_08.c:2807:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&trans->cc.msg, rel, sizeof(struct gsm_mncc)); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/gsm_04_08.c:3747:4: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&trans->cc.msg, data, sizeof(struct gsm_mncc)); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/gsm_04_11.c:240:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(smsp, oa, oa_len); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/gsm_04_11.c:267:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(smsp, sms->user_data, octet_len); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/gsm_04_11.c:272:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(smsp, sms->user_data, sms->user_data_len); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/gsm_04_11.c:309:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(smsp, oa, oa_len); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/gsm_04_11.c:447:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(address_lv, smsp, da_len_bytes); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/gsm_04_11.c:490:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(gsms->user_data, smsp, gsms->user_data_len); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/gsm_subscriber.c:243:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char tmsi_string[14]; data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/gsm_subscriber.c:252:2: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(tmsi_string, "%u", tmsi); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/gsm_subscriber.c:286:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[32]; data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/gsm_subscriber.c:287:2: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(buf, "%llu", id); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/meas_feed.c:26:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char scenario[31+1]; data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/meas_feed.c:101:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[256]; data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/osmo_msc.c:93:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(subscr->equipment.classmark2, cm2, cm2_len); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/osmo_msc.c:96:4: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(subscr->equipment.classmark3, cm3, cm3_len); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/smpp_openbsc.c:216:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(sms->user_data, sms_msg, sms_msg_len); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/smpp_openbsc.c:255:3: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy((char *)submit_r->message_id, "msg_id_not_implemented"); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/smpp_openbsc.c:428:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(tlv.value.octet, data, tlv.length); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/smpp_openbsc.c:651:2: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy((char *)deliver.service_type, "CMT"); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/smpp_openbsc.c:705:4: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(dst, sms->user_data, udh_len); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/smpp_openbsc.c:713:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(deliver.short_message, sms->user_data, deliver.sm_length); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/smpp_smsc.c:369:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[SMALL_BUFF]; data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/smpp_smsc.c:400:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[SMALL_BUFF]; data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/smpp_smsc.c:841:4: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(cur, lenptr, sizeof(uint32_t)); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/smpp_smsc.c:930:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&esme->sa, s, esme->sa_len); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/smpp_smsc.h:37:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char addr[21+1]; data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/smpp_smsc.h:60:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char system_id[SMPP_SYS_ID_LEN+1]; data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/smpp_smsc.h:70:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char system_id[SMPP_SYS_ID_LEN+1]; data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/smpp_smsc.h:71:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char passwd[SMPP_PASSWD_LEN+1]; data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/smpp_smsc.h:118:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char system_id[SMPP_SYS_ID_LEN+1]; data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/smpp_vty.c:134:18: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). uint16_t port = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/smpp_vty.c:145:18: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). uint16_t port = atoi(argv[1]); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/smpp_vty.c:527:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char host[128], serv[128]; data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/ussd.c:44:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char response_string[GSM_EXTENSION_LENGTH + 20]; data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/vty_interface_layer3.c:69:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char expire_time[200]; data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/vty_interface_layer3.c:197:51: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). return subscr_get_by_tmsi(gsmnet->subscr_group, atoi(id)); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/vty_interface_layer3.c:199:49: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). return subscr_get_by_id(gsmnet->subscr_group, atoi(id)); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/vty_interface_layer3.c:462:10: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). level = atoi(argv[2]); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/vty_interface_layer3.c:647:23: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). subscr->authorized = atoi(argv[2]); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/vty_interface_layer3.c:754:28: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). bts = gsm_bts_num(gsmnet, atoi(argv[2])); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/vty_interface_layer3.c:757:4: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). atoi(argv[2]), VTY_NEWLINE); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/vty_interface_layer3.c:991:44: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). sms_queue_set_max_pending(net->sms_queue, atoi(argv[0])); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/vty_interface_layer3.c:1013:44: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). sms_queue_set_max_failure(net->sms_queue, atoi(argv[0])); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/vty_interface_layer3.c:1115:34: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). rc = meas_feed_cfg_set(argv[0], atoi(argv[1])); data/openbsc-1.3.2+dfsg1/openbsc/src/libtrau/rtp_proxy.c:193:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(payload_out, payload, payload_len); data/openbsc-1.3.2+dfsg1/openbsc/src/libtrau/rtp_proxy.c:285:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(payload, frame->data + 1, payload_len); data/openbsc-1.3.2+dfsg1/openbsc/src/libtrau/rtp_proxy.c:287:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(payload, frame->data, payload_len); data/openbsc-1.3.2+dfsg1/openbsc/src/libtrau/rtp_proxy.c:339:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(cur, new_cname, strlen(new_cname)); data/openbsc-1.3.2+dfsg1/openbsc/src/libtrau/rtp_proxy.c:371:4: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char new_cname[255]; data/openbsc-1.3.2+dfsg1/openbsc/src/libtrau/trau_mux.c:67:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(check_bits + 0 , d_bits + 0, 22); data/openbsc-1.3.2+dfsg1/openbsc/src/libtrau/trau_mux.c:68:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(check_bits + 22 , d_bits + 24, 3); data/openbsc-1.3.2+dfsg1/openbsc/src/libtrau/trau_mux.c:74:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(check_bits + 0 , d_bits + 42, 10); data/openbsc-1.3.2+dfsg1/openbsc/src/libtrau/trau_mux.c:75:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(check_bits + 10 , d_bits + 90, 2); data/openbsc-1.3.2+dfsg1/openbsc/src/libtrau/trau_mux.c:80:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(check_bits + 0 , d_bits + 98, 5); data/openbsc-1.3.2+dfsg1/openbsc/src/libtrau/trau_mux.c:82:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(check_bits + 6 , d_bits + 143, 2); data/openbsc-1.3.2+dfsg1/openbsc/src/libtrau/trau_mux.c:87:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(check_bits + 0 , d_bits + 151, 10); data/openbsc-1.3.2+dfsg1/openbsc/src/libtrau/trau_mux.c:88:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(check_bits + 10 , d_bits + 199, 2); data/openbsc-1.3.2+dfsg1/openbsc/src/libtrau/trau_mux.c:93:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(check_bits + 0 , d_bits + 207, 5); data/openbsc-1.3.2+dfsg1/openbsc/src/libtrau/trau_mux.c:95:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(check_bits + 6 , d_bits + 252, 2); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc/osmo_bsc_api.c:331:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char _dest_nr[35]; data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc/osmo_bsc_api.c:356:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(_dest_nr + 2, called.number, sizeof(called.number)); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc/osmo_bsc_api.c:358:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(_dest_nr, called.number, sizeof(called.number)); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc/osmo_bsc_api.c:511:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(lchan->mr_bts_lv, lchan->mr_ms_lv, sizeof(lchan->mr_ms_lv)); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc/osmo_bsc_bssap.c:135:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char mi_string[GSM48_MI_SIZE]; data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc/osmo_bsc_bssap.c:531:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(data, msg->l3h + sizeof(*header), length - sizeof(*header)); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc/osmo_bsc_ctrl.c:298:19: [2] (integer) atol: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). curloc->tstamp = atol(tstamp); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc/osmo_bsc_ctrl.c:345:11: [2] (integer) atol: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). tstamp = atol(tstampstr); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc/osmo_bsc_ctrl.c:409:23: [2] (integer) atol: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). tz->hr = hourstr ? atol(hourstr) : 0; data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc/osmo_bsc_ctrl.c:410:22: [2] (integer) atol: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). tz->mn = minstr ? atol(minstr) : 0; data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc/osmo_bsc_ctrl.c:411:22: [2] (integer) atol: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). tz->dst = dststr ? atol(dststr) : 0; data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc/osmo_bsc_ctrl.c:450:13: [2] (integer) atol: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). tz_hours = atol(hourstr); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc/osmo_bsc_ctrl.c:451:12: [2] (integer) atol: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). tz_mins = atol(minstr); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc/osmo_bsc_ctrl.c:452:11: [2] (integer) atol: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). tz_dst = atol(dststr); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc/osmo_bsc_ctrl.c:548:8: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). cic = atoi(cic_str); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc/osmo_bsc_ctrl.c:549:10: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). alert = atoi(alert_str); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc/osmo_bsc_filter.c:58:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char mi_string[GSM48_MI_SIZE]; data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc/osmo_bsc_main.c:141:42: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). log_set_log_level(osmo_stderr_target, atoi(optarg)); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc/osmo_bsc_msc.c:112:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(mgcp->data, msg->l2h, mgcp->len); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc/osmo_bsc_msc.c:477:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(auth.u.umts.opc, data->bsc_key, 16); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc/osmo_bsc_msc.c:478:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(auth.u.umts.k, data->bsc_key, 16); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc/osmo_bsc_vty.c:65:26: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int index = argc == 1 ? atoi(argv[0]) : 0; data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc/osmo_bsc_vty.c:303:19: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). data->core_lac = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc/osmo_bsc_vty.c:313:18: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). data->core_ci = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc/osmo_bsc_vty.c:325:19: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). data->rtp_base = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc/osmo_bsc_vty.c:364:33: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). data->audio_support[i]->ver = atoi(argv[i] + 2); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc/osmo_bsc_vty.c:411:15: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). dest->port = atoi(argv[1]); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc/osmo_bsc_vty.c:412:15: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). dest->dscp = atoi(argv[2]); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc/osmo_bsc_vty.c:426:13: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int port = atoi(argv[1]); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc/osmo_bsc_vty.c:427:13: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int dscp = atoi(argv[2]); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc/osmo_bsc_vty.c:458:23: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). data->ping_timeout = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc/osmo_bsc_vty.c:468:23: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). data->pong_timeout = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc/osmo_bsc_vty.c:725:27: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). data->mid_call_timeout = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc/osmo_bsc_vty.c:746:27: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). data->auto_off_timeout = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc/osmo_bsc_vty.c:821:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char timestr[50]; data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc/osmo_bsc_vty.c:862:11: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). bts_nr = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_mgcp_utils.c:233:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy((uint8_t *) TLVP_VAL(&tp, GSM0808_IE_CIRCUIT_IDENTITY_CODE), data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_mgcp_utils.c:263:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[2096]; data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_mgcp_utils.c:284:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[2096]; data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_mgcp_utils.c:734:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char transaction_id[60]; data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_mgcp_utils.c:779:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(save, msg->l2h, msgb_l2len(msg) + 1); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_mgcp_utils.c:848:35: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. int bsc_mgcp_parse_response(const char *str, int *code, char transaction[60]) data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_mgcp_utils.c:848:57: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. int bsc_mgcp_parse_response(const char *str, int *code, char transaction[60]) data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_mgcp_utils.c:887:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[40]; data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_mgcp_utils.c:888:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char osmux_extension[strlen("\nX-Osmux: 255") + 1]; data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_mgcp_utils.c:899:3: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(osmux_extension, "\nX-Osmux: %u", osmux_cid & 0xff); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_mgcp_utils.c:921:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[128]; data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_mgcp_utils.c:956:4: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(output->l3h, ip_str, strlen(ip_str)); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_mgcp_utils.c:958:4: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(output->l3h, ip, strlen(ip)); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_mgcp_utils.c:981:4: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(output->l3h, buf, strlen(buf)); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_mgcp_utils.c:988:4: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(output->l3h, token, len); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_mgcp_utils.c:1002:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(output->l3h, buf, strlen(buf)); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_mgcp_utils.c:1029:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(nat->mgcp_msg, msg->l2h, msgb_l2len(msg)); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_mgcp_utils.c:1067:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(msg->l2h, nat->mgcp_msg, msgb_l2len(msg)); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat.c:219:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(id_req, s_id_req, sizeof(s_id_req)); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat.c:229:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(buf, mrand, 16); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat.c:423:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(msg->data, data, length); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat.c:836:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(msg->l2h, reset, msgb_l2len(msg)); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat.c:1022:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(auth.u.umts.opc, conf->key, 16); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat.c:1023:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(auth.u.umts.k, conf->key, 16); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_ctrl.c:212:8: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). *nr = atoi(nr_str); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_rewrite.c:102:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char int_number[sizeof(called->number) + 2]; data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_rewrite.c:120:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&int_number[1], number, strlen(number) + 1); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_rewrite.c:225:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(outptr, hdr48, sizeof(*hdr48)); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_rewrite.c:230:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(outptr, &hdr48->data[0], sec_len); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_rewrite.c:244:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(outptr, msgptr, sec_len); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_rewrite.c:359:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(data, new_addr, new_addr_len); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_rewrite.c:419:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(data, &data_ptr[2 + 1 + old_dest_len], data_len - 2 - 1 - old_dest_len); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_rewrite.c:430:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(new_hdr48, old_hdr48, sizeof(*old_hdr48)); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_rewrite.c:450:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char smsc_addr[30]; data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_rewrite.c:454:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char _dest_nr[30]; data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_rewrite_trie.c:92:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(new->rules[pos]->prefix, rule->prefix, sizeof(rule->prefix)); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_rewrite_trie.c:93:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(new->rules[pos]->rewrite, rule->rewrite, sizeof(rule->rewrite)); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_rewrite_trie.c:156:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(rule->prefix, line, size_prefix); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_rewrite_trie.c:160:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(rule->rewrite, split, size_end); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_rewrite_trie.c:175:9: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). file = fopen(filename, "r"); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_utils.c:395:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(msg->l3h, data, length); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_utils.c:492:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(lac, &data[0], sizeof(*lac)); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_utils.c:493:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(ci, &data[2], sizeof(*ci)); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_vty.c:260:11: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int nr = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_vty.c:381:28: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). if (by_nr && conf->nr != atoi(id)) data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_vty.c:385:52: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). else if (by_lac && !bsc_config_handles_lac(conf, atoi(id))) data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_vty.c:421:15: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int bsc_nr = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_vty.c:458:26: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). _nat->main_dest->port = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_vty.c:469:23: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). _nat->auth_timeout = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_vty.c:480:23: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). _nat->ping_timeout = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_vty.c:491:23: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). _nat->pong_timeout = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_vty.c:508:22: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). _nat->bsc_ip_dscp = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_vty.c:897:15: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int bsc_nr = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_vty.c:957:12: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int lac = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_vty.c:985:12: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int lac = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_vty.c:1047:24: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). conf->max_endpoints = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_vty.c:1084:23: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). conf->paging_group = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_vty.c:1130:11: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int nr = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_vty.c:1131:13: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int endp = atoi(argv[1]); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_vty.c:1164:14: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int group = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_vty.c:1183:14: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int group = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_vty.c:1201:12: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int lac = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_vty.c:1216:12: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int lac = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_vty.c:1299:31: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). conf->bts_jitter_delay_min = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_vty.c:1320:31: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). conf->bts_jitter_delay_max = atoi(argv[0]); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_ussd.c:309:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(copy->l2h, input->l2h, msgb_l2len(input)); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_ussd.c:342:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(copy->l2h, input->l2h, msgb_l2len(input)); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_ussd.c:351:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&state->src_ref, &con->remote_ref, sizeof(con->remote_ref)); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_ussd.c:352:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&state->dst_ref, &con->real_ref, sizeof(con->real_ref)); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_ussd.c:353:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(state->imsi, con->filter_state.imsi, strlen(con->filter_state.imsi)); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-nitb/bsc_hack.c:78:11: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). int fd = open(file, O_WRONLY|O_TRUNC|O_CREAT, mode); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-nitb/bsc_hack.c:171:42: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). log_set_log_level(osmo_stderr_target, atoi(optarg)); data/openbsc-1.3.2+dfsg1/openbsc/src/utils/bs11_config.c:134:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(cur, obj_bbsig0_attr, sizeof(obj_bbsig0_attr)); data/openbsc-1.3.2+dfsg1/openbsc/src/utils/bs11_config.c:346:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char retbuf[256]; data/openbsc-1.3.2+dfsg1/openbsc/src/utils/bs11_config.c:352:3: [2] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant string. strcat(retbuf, "BS11 "); data/openbsc-1.3.2+dfsg1/openbsc/src/utils/bs11_config.c:355:4: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(retbuf+strlen(retbuf), "Power Amplifier %d ", data/openbsc-1.3.2+dfsg1/openbsc/src/utils/bs11_config.c:359:4: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(retbuf+strlen(retbuf), "Line Interface "); data/openbsc-1.3.2+dfsg1/openbsc/src/utils/bs11_config.c:362:4: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(retbuf+strlen(retbuf), "CCLK "); data/openbsc-1.3.2+dfsg1/openbsc/src/utils/bs11_config.c:367:3: [2] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant string. strcat(retbuf, "SITE MANAGER "); data/openbsc-1.3.2+dfsg1/openbsc/src/utils/bs11_config.c:370:3: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(retbuf+strlen(retbuf), "BPORT%u ", data/openbsc-1.3.2+dfsg1/openbsc/src/utils/bs11_config.c:567:33: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). abis_nm_bs11_set_pll(g_bts, atoi(value)); data/openbsc-1.3.2+dfsg1/openbsc/src/utils/bs11_config.c:577:33: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). abis_nm_bs11_set_pll(g_bts, atoi(value)); data/openbsc-1.3.2+dfsg1/openbsc/src/utils/bs11_config.c:834:15: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). delay_ms = atoi(optarg); data/openbsc-1.3.2+dfsg1/openbsc/src/utils/bs11_config.c:837:15: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). win_size = atoi(optarg); data/openbsc-1.3.2+dfsg1/openbsc/src/utils/isdnsync.c:91:11: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char buffer[2048]; data/openbsc-1.3.2+dfsg1/openbsc/src/utils/isdnsync.c:177:9: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). card = atoi(argv[1]); data/openbsc-1.3.2+dfsg1/openbsc/src/utils/smpp_mirror.c:43:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char system_id[SMPP_SYS_ID_LEN+1]; data/openbsc-1.3.2+dfsg1/openbsc/src/utils/smpp_mirror.c:44:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char password[SMPP_SYS_ID_LEN+1]; data/openbsc-1.3.2+dfsg1/openbsc/src/utils/smpp_mirror.c:246:4: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(cur, lenptr, sizeof(uint32_t)); data/openbsc-1.3.2+dfsg1/openbsc/src/utils/smpp_mirror.c:348:10: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). port = atoi(argv[2]); data/openbsc-1.3.2+dfsg1/openbsc/tests/bsc-nat/bsc_nat_test.c:242:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(msg->data, results[i].data, results[i].length); data/openbsc-1.3.2+dfsg1/openbsc/tests/bsc-nat/bsc_nat_test.c:266:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(msg->l2h, data, msgb_l2len(msg)); data/openbsc-1.3.2+dfsg1/openbsc/tests/bsc-nat/bsc_nat_test.c:659:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char transaction[60]; data/openbsc-1.3.2+dfsg1/openbsc/tests/bsc-nat/bsc_nat_test.c:1514:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(msg->l2h, bssmap_cr, ARRAY_SIZE(bssmap_cr)); data/openbsc-1.3.2+dfsg1/openbsc/tests/bsc/bsc_test.c:90:47: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). fprintf(stderr, "get_int(%s) -> %d\n", key, atoi(kv)); data/openbsc-1.3.2+dfsg1/openbsc/tests/bsc/bsc_test.c:95:14: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). return kv ? atoi(kv) : def; data/openbsc-1.3.2+dfsg1/openbsc/tests/bsc/bsc_test.c:157:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(msg->l3h, test_def->data, test_def->length); data/openbsc-1.3.2+dfsg1/openbsc/tests/db/db_test.c:83:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(sms->src.addr, "1234", strlen("1234") + 1); data/openbsc-1.3.2+dfsg1/openbsc/tests/db/db_test.c:87:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(sms->dst.addr, subscr->extension, sizeof(subscr->extension)); data/openbsc-1.3.2+dfsg1/openbsc/tests/db/db_test.c:89:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(sms->text, "Text123", strlen("Text123") + 1); data/openbsc-1.3.2+dfsg1/openbsc/tests/db/db_test.c:90:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(sms->user_data, "UserData123", strlen("UserData123") + 1); data/openbsc-1.3.2+dfsg1/openbsc/tests/db/db_test.c:167:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char scratch_str[256]; data/openbsc-1.3.2+dfsg1/openbsc/tests/gsm0408/gsm0408_test.c:294:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char mi_parsed[GSM48_MI_SIZE]; data/openbsc-1.3.2+dfsg1/openbsc/tests/gsm0408/gsm0408_test.c:459:4: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char rnd_arfcns_set[1024] = {0}; data/openbsc-1.3.2+dfsg1/openbsc/tests/mgcp/mgcp_test.c:55:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[2048]; data/openbsc-1.3.2+dfsg1/openbsc/tests/mgcp/mgcp_test.c:460:26: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. if (len == 1 && ((const char *)buf)[0] == MGCP_DUMMY_LOAD ) { data/openbsc-1.3.2+dfsg1/openbsc/tests/mgcp/mgcp_test.c:919:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[4096]; data/openbsc-1.3.2+dfsg1/openbsc/tests/mgcp/mgcp_transcoding_test.c:218:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[4096] = {0x80, 0}; data/openbsc-1.3.2+dfsg1/openbsc/tests/mgcp/mgcp_transcoding_test.c:240:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(buf, src_pkts, src_pkt_size); data/openbsc-1.3.2+dfsg1/openbsc/tests/mgcp/mgcp_transcoding_test.c:275:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[4096]; data/openbsc-1.3.2+dfsg1/openbsc/tests/mgcp/mgcp_transcoding_test.c:293:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(buf, audio_packets_pcma[0].data, len); data/openbsc-1.3.2+dfsg1/openbsc/tests/mgcp/mgcp_transcoding_test.c:311:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(buf, audio_packets_pcma[0].data, len); data/openbsc-1.3.2+dfsg1/openbsc/tests/mgcp/mgcp_transcoding_test.c:325:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[4096]; data/openbsc-1.3.2+dfsg1/openbsc/tests/mgcp/mgcp_transcoding_test.c:338:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(buf, audio_packets_gsm[0].data, len); data/openbsc-1.3.2+dfsg1/openbsc/tests/mgcp/mgcp_transcoding_test.c:357:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(buf, audio_packets_gsm[0].data, len); data/openbsc-1.3.2+dfsg1/openbsc/tests/mgcp/mgcp_transcoding_test.c:376:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(buf, audio_packets_pcma[1].data, len); data/openbsc-1.3.2+dfsg1/openbsc/tests/mgcp/mgcp_transcoding_test.c:384:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(buf, audio_packets_pcma[2].data, len); data/openbsc-1.3.2+dfsg1/openbsc/tests/mgcp/mgcp_transcoding_test.c:403:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(buf, audio_packets_pcma[1].data, len); data/openbsc-1.3.2+dfsg1/openbsc/tests/mgcp/mgcp_transcoding_test.c:412:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(buf, audio_packets_pcma[2].data, len); data/openbsc-1.3.2+dfsg1/openbsc/tests/mgcp/mgcp_transcoding_test.c:427:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(buf, audio_packets_pcma[2].data, len); data/openbsc-1.3.2+dfsg1/openbsc/tests/mgcp/mgcp_transcoding_test.c:443:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[4096] = {0x80, 0}; data/openbsc-1.3.2+dfsg1/openbsc/tests/mgcp/mgcp_transcoding_test.c:468:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(buf, audio_packets_pcma[0].data, len); data/openbsc-1.3.2+dfsg1/openbsc/tests/mgcp/mgcp_transcoding_test.c:486:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(buf, audio_packets_pcma[1].data, len); data/openbsc-1.3.2+dfsg1/openbsc/tests/mgcp/mgcp_transcoding_test.c:503:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[4096] = {0x80, 0}; data/openbsc-1.3.2+dfsg1/openbsc/tests/mm_auth/mm_auth_test.c:15:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char buf[256]; data/openbsc-1.3.2+dfsg1/openbsc/tests/trau/trau_test.c:66:11: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char data[33]; data/openbsc-1.3.2+dfsg1/openbsc/contrib/testconv/testconv_main.c:95:15: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). while ((cc = read(0, buf + 12, in_size))) { data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm.c:1040:9: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = strlen(line_buf) + 2; data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm.c:1047:9: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = strlen(line_buf)+2; data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm.c:1051:9: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). len = read(sw->fd, &seg_buf, IPACC_SEGMENT_SIZE); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm.c:1127:7: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). rc = read(sw->fd, &firmware_header, sizeof(firmware_header)); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm.c:1185:8: [1] (buffer) fscanf: It's unclear if the %s limit in the format string is small enough (CWE-120). Check that the limit is sufficiently small, or use a different input function. rc = fscanf(sw->stream, "@(#)%12s:%80s\r\n", data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm.c:1192:21: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). sw->file_id_len = strlen(file_id); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm.c:1194:26: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). sw->file_version_len = strlen(file_version); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm.c:2250:11: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). + 1 + strlen(name); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm.c:2258:9: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strlen(name), (uint8_t *)name); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm.c:2272:6: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(password) != 10) data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm.c:2277:24: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). fill_om_fom_hdr(oh, 2+strlen(password), NM_MT_BS11_SET_ATTR, data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm.c:2387:7: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(linebuf) < 4) data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm.c:2390:8: [1] (buffer) sscanf: It's unclear if the %s limit in the format string is small enough (CWE-120). Check that the limit is sufficiently small, or use a different input function. rc = sscanf(linebuf+4, "%12s:%80s\r\n", file_id, file_version); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm.c:2407:3: [1] (buffer) strncat: Easily used incorrectly (e.g., incorrectly computing the correct maximum size to add) [MS-banned] (CWE-120). Consider strcat_s, strlcat, snprintf, or automatically resizing strings. strncat(fle->fname, dirname(dir), sizeof(fle->fname) - 1); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm.c:2408:3: [1] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant character. strcat(fle->fname, "/"); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm.c:2409:3: [1] (buffer) strncat: Easily used incorrectly (e.g., incorrectly computing the correct maximum size to add) [MS-banned] (CWE-120). Consider strcat_s, strlcat, snprintf, or automatically resizing strings. strncat(fle->fname, file_id, sizeof(fle->fname) - 1 -strlen(fle->fname)); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_nm.c:2409:56: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strncat(fle->fname, file_id, sizeof(fle->fname) - 1 -strlen(fle->fname)); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_om2000.c:2498:6: [1] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source is a constant character. sprintf(string + strlen(string), ","); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_om2000.c:2498:23: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). sprintf(string + strlen(string), ","); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_om2000.c:2499:22: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). sprintf(string + strlen(string), "%d", k + i*8); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_om2000.c:2505:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). sprintf(string + strlen(string), ")\n"); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/abis_rsl.c:1044:15: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). int i, len = strlen(str_in); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_ctrl_commands.c:52:21: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). const size_t len = strlen(value); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_msc.c:307:20: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). msgb_put_u8(msg, strlen(token) + 2); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_msc.c:308:47: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). msgb_tv_fixed_put(msg, IPAC_IDTAG_UNITNAME, strlen(token) + 1, (uint8_t *) token); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_msc.c:315:23: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). msgb_l16tv_put(msg, strlen(token) + 1, data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_rf_ctrl.c:310:7: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). rc = read(fd->fd, buf, sizeof(buf)); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_rf_ctrl.c:459:18: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). local.sun_len = strlen(local.sun_path); data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_rf_ctrl.c:464:12: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). namelen = strlen(local.sun_path) + data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:1074:6: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(subscr->name)) data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:1076:6: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(subscr->extension)) data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bsc_vty.c:1089:6: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(bsub->imsi)) data/openbsc-1.3.2+dfsg1/openbsc/src/libbsc/bts_nokia_site.c:1400:21: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). int indent_len = strlen(indent); data/openbsc-1.3.2+dfsg1/openbsc/src/libcommon/gsm_subscriber_base.c:50:6: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(subscr->name)) data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_protocol.c:71:26: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). const size_t line_len = strlen(line); data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_protocol.c:134:27: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). msg->l2h = msgb_put(msg, strlen(endp->last_response)); data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_protocol.c:275:23: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). char osmux_extension[strlen("\nX-Osmux: 255") + 1]; data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_protocol.c:752:37: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strncmp("Osmux: ", line + 2, strlen("Osmux: ")) == 0) data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_sdp.c:210:8: [1] (buffer) sscanf: It's unclear if the %s limit in the format string is small enough (CWE-120). Check that the limit is sufficiently small, or use a different input function. if (sscanf(line, "a=rtpmap:%d %63s", data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_sdp.c:250:8: [1] (buffer) sscanf: It's unclear if the %s limit in the format string is small enough (CWE-120). Check that the limit is sufficiently small, or use a different input function. if (sscanf(line, "c=IN IP4 %15s", ipv4) == 1) { data/openbsc-1.3.2+dfsg1/openbsc/src/libmgcp/mgcp_vty.c:72:23: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (g_cfg->bts_ip && strlen(g_cfg->bts_ip) != 0) data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/ctrl_commands.c:67:11: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). else if (strlen(imsi) > GSM23003_IMSI_MAX_DIGITS) data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/ctrl_commands.c:69:11: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). else if (strlen(msisdn) >= GSM_EXTENSION_LENGTH) data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/gsm_04_08.c:766:14: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). name_len = strlen(net->name_long); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/gsm_04_08.c:780:15: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). name_len = (strlen(net->name_long)*7)/8; data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/gsm_04_08.c:781:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). name_pad = (8 - strlen(net->name_long)*7)%8; data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/gsm_04_08.c:797:14: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). name_len = strlen(net->name_short); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/gsm_04_08.c:808:15: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). name_len = (strlen(net->name_short)*7)/8; data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/gsm_04_08.c:809:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). name_pad = (8 - strlen(net->name_short)*7)%8; data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/gsm_04_08.c:1495:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). subscr->name && strlen(subscr->name) ? subscr->name : subscr->imsi); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/meas_feed.c:103:7: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). rc = read(ofd->fd, buf, sizeof(buf)); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/smpp_openbsc.c:484:21: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). size_t imei_len = strlen(subscr->equipment.imei); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/smpp_smsc.c:134:6: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(sys_id) > SMPP_SYS_ID_LEN) data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/smpp_smsc.c:287:10: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strlen(r->u.prefix.addr))) { data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/smpp_smsc.c:438:8: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(acl->passwd) && data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/smpp_smsc.c:820:8: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). rc = read(ofd->fd, lenptr + esme->read_idx, rdlen); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/smpp_smsc.c:849:8: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). rc = read(ofd->fd, msg->tail, OSMO_MIN(rdlen, msgb_tailroom(msg))); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/smpp_vty.c:156:6: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(argv[0])+1 > sizeof(smsc->system_id)) data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/smpp_vty.c:192:6: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(smsc->system_id) > 0) data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/smpp_vty.c:211:6: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(id) > 16) { data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/smpp_vty.c:261:6: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(argv[0])+1 > sizeof(acl->passwd)) data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/smpp_vty.c:283:18: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). for (i = 0; i < strlen(str); i++) { data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/smpp_vty.c:575:6: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(acl->passwd)) data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/token_auth.c:40:8: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = strlen(subscr->imsi) + 8 + strlen(TOKEN_SMS_TEXT); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/token_auth.c:40:35: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = strlen(subscr->imsi) + 8 + strlen(TOKEN_SMS_TEXT); data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/vty_interface_layer3.c:73:6: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(subscr->name)) data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/vty_interface_layer3.c:75:6: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(subscr->extension)) data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/vty_interface_layer3.c:678:6: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(name) > sizeof(subscr->name)-1) { data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/vty_interface_layer3.c:712:6: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(ext) > sizeof(subscr->extension)-1) { data/openbsc-1.3.2+dfsg1/openbsc/src/libmsc/vty_interface_layer3.c:1064:6: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(meas_scenario) > 0) data/openbsc-1.3.2+dfsg1/openbsc/src/libtrau/rtp_proxy.c:324:15: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (len < strlen(new_cname)) { data/openbsc-1.3.2+dfsg1/openbsc/src/libtrau/rtp_proxy.c:326:21: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). int increase = strlen(new_cname) - len; data/openbsc-1.3.2+dfsg1/openbsc/src/libtrau/rtp_proxy.c:339:28: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). memcpy(cur, new_cname, strlen(new_cname)); data/openbsc-1.3.2+dfsg1/openbsc/src/libtrau/rtp_proxy.c:397:7: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). rc = read(rss->bfd.fd, msg->data, RTP_ALLOC_SIZE); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc/osmo_bsc_msc.c:67:8: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ret = read(fd->fd, mgcp->data, 4096 - 128); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc/osmo_bsc_vty.c:355:7: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(argv[i]) != 3 data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc/osmo_bsc_vty.c:841:11: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). timestr[strlen(timestr)-1] = 0; data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_mgcp_utils.c:672:26: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). const size_t line_len = strlen(line); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_mgcp_utils.c:689:36: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). const size_t x_osmux_prefix_len = strlen(x_osmux_prefix); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_mgcp_utils.c:792:39: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strncasecmp(line, "X-Osmux: ", strlen("X-Osmux: ")) == 0) data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_mgcp_utils.c:852:7: [1] (buffer) sscanf: It's unclear if the %s limit in the format string is small enough (CWE-120). Check that the limit is sufficiently small, or use a different input function. rc = sscanf(str, "%3d %59s\n", code, transaction) != 2; data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_mgcp_utils.c:861:31: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). const size_t ci_prefix_len = strlen(ci_prefix); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_mgcp_utils.c:888:23: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). char osmux_extension[strlen("\nX-Osmux: 255") + 1]; data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_mgcp_utils.c:945:13: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). int len = strlen(token); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_mgcp_utils.c:955:35: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). output->l3h = msgb_put(output, strlen(ip_str)); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_mgcp_utils.c:956:32: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). memcpy(output->l3h, ip_str, strlen(ip_str)); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_mgcp_utils.c:957:35: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). output->l3h = msgb_put(output, strlen(ip)); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_mgcp_utils.c:958:28: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). memcpy(output->l3h, ip, strlen(ip)); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_mgcp_utils.c:980:35: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). output->l3h = msgb_put(output, strlen(buf)); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_mgcp_utils.c:981:29: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). memcpy(output->l3h, buf, strlen(buf)); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_mgcp_utils.c:1001:34: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). output->l3h = msgb_put(output, strlen(buf)); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_mgcp_utils.c:1002:28: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). memcpy(output->l3h, buf, strlen(buf)); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_mgcp_utils.c:1051:7: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). rc = read(fd->fd, nat->mgcp_msg, sizeof(nat->mgcp_msg) - 1); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_ctrl.c:405:9: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). str += strlen("net.0.add.allow.access-list."); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_ctrl.c:406:6: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(str) == 0) data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_rewrite.c:120:34: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). memcpy(&int_number[1], number, strlen(number) + 1); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_rewrite.c:184:6: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(new_number_pre) > sizeof(called.number)) { data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_rewrite.c:201:6: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(chosen_number) > sizeof(called.number)) { data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_rewrite.c:360:13: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). data[0] = strlen(new_number); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_rewrite.c:584:15: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (!imsi || strlen(imsi) < 5) data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_rewrite_trie.c:48:18: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). const int len = strlen(rule->prefix); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_rewrite_trie.c:117:8: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = strlen(line); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_rewrite_trie.c:133:13: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). size_end = strlen(split) - 1; data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_rewrite_trie.c:205:27: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). const int len = OSMO_MIN(strlen(prefix), (sizeof(rule->prefix) - 1)); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_nat_utils.c:195:25: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). const int token_len = strlen(conf->token) + 1; data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_sccp.c:33:12: [1] (buffer) equal: Function does not check the second iterator for over-read conditions (CWE-126). This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it. static int equal(struct sccp_source_reference *ref1, struct sccp_source_reference *ref2) data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_sccp.c:48:7: [1] (buffer) equal: Function does not check the second iterator for over-read conditions (CWE-126). This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it. if (equal(ref, &conn->patched_ref)) data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_sccp.c:94:8: [1] (buffer) equal: Function does not check the second iterator for over-read conditions (CWE-126). This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it. if (!equal(parsed->src_local_ref, &conn->real_ref)) data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_sccp.c:162:7: [1] (buffer) equal: Function does not check the second iterator for over-read conditions (CWE-126). This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it. if (equal(parsed->src_local_ref, &conn->patched_ref)) { data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_sccp.c:190:8: [1] (buffer) equal: Function does not check the second iterator for over-read conditions (CWE-126). This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it. if (!equal(parsed->dest_local_ref, &conn->patched_ref)) data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_sccp.c:220:8: [1] (buffer) equal: Function does not check the second iterator for over-read conditions (CWE-126). This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it. if (equal(parsed->src_local_ref, &conn->real_ref)) { data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_sccp.c:225:8: [1] (buffer) equal: Function does not check the second iterator for over-read conditions (CWE-126). This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it. if (equal(parsed->dest_local_ref, &conn->remote_ref)) data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_sccp.c:242:7: [1] (buffer) equal: Function does not check the second iterator for over-read conditions (CWE-126). This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it. if (equal(ref, &conn->real_ref)) data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_ussd.c:193:6: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(conn->nat->ussd_token) != len - 1) data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_ussd.c:353:46: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). memcpy(state->imsi, con->filter_state.imsi, strlen(con->filter_state.imsi)); data/openbsc-1.3.2+dfsg1/openbsc/src/osmo-bsc_nat/bsc_ussd.c:402:6: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(con->filter_state.imsi) > GSM23003_IMSI_MAX_DIGITS) data/openbsc-1.3.2+dfsg1/openbsc/src/utils/bs11_config.c:355:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). sprintf(retbuf+strlen(retbuf), "Power Amplifier %d ", data/openbsc-1.3.2+dfsg1/openbsc/src/utils/bs11_config.c:359:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). sprintf(retbuf+strlen(retbuf), "Line Interface "); data/openbsc-1.3.2+dfsg1/openbsc/src/utils/bs11_config.c:362:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). sprintf(retbuf+strlen(retbuf), "CCLK "); data/openbsc-1.3.2+dfsg1/openbsc/src/utils/bs11_config.c:370:18: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). sprintf(retbuf+strlen(retbuf), "BPORT%u ", data/openbsc-1.3.2+dfsg1/openbsc/src/utils/smpp_mirror.c:231:8: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). rc = read(ofd->fd, lenptr + esme->read_idx, rdlen); data/openbsc-1.3.2+dfsg1/openbsc/src/utils/smpp_mirror.c:254:8: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). rc = read(ofd->fd, msg->tail, OSMO_MIN(rdlen, msgb_tailroom(msg))); data/openbsc-1.3.2+dfsg1/openbsc/tests/bsc-nat/bsc_nat_test.c:627:36: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). output = bsc_mgcp_rewrite(input, strlen(input), 0x1e, data/openbsc-1.3.2+dfsg1/openbsc/tests/bsc-nat/bsc_nat_test.c:640:29: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (msgb_l2len(output) != strlen(patc)) { data/openbsc-1.3.2+dfsg1/openbsc/tests/bsc-nat/bsc_nat_test.c:641:82: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). printf("Wrong sizes for test: %d %u != %zu != %zu\n", i, msgb_l2len(output), strlen(patc), strlen(orig)); data/openbsc-1.3.2+dfsg1/openbsc/tests/bsc-nat/bsc_nat_test.c:641:96: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). printf("Wrong sizes for test: %d %u != %zu != %zu\n", i, msgb_l2len(output), strlen(patc), strlen(orig)); data/openbsc-1.3.2+dfsg1/openbsc/tests/bsc/bsc_test.c:89:9: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). kv += strlen(key) + 1; data/openbsc-1.3.2+dfsg1/openbsc/tests/db/db_test.c:83:32: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). memcpy(sms->src.addr, "1234", strlen("1234") + 1); data/openbsc-1.3.2+dfsg1/openbsc/tests/db/db_test.c:89:31: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). memcpy(sms->text, "Text123", strlen("Text123") + 1); data/openbsc-1.3.2+dfsg1/openbsc/tests/db/db_test.c:90:40: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). memcpy(sms->user_data, "UserData123", strlen("UserData123") + 1); data/openbsc-1.3.2+dfsg1/openbsc/tests/db/db_test.c:91:23: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). sms->user_data_len = strlen("UserData123"); data/openbsc-1.3.2+dfsg1/openbsc/tests/db/db_test.c:118:36: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). OSMO_ASSERT(sms->user_data_len == strlen("UserData123")); data/openbsc-1.3.2+dfsg1/openbsc/tests/mm_auth/mm_auth_test.c:46:8: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). l1 = strlen(expect_str); data/openbsc-1.3.2+dfsg1/openbsc/tests/mm_auth/mm_auth_test.c:47:8: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). l2 = strlen(tuple_str); ANALYSIS SUMMARY: Hits = 754 Lines analyzed = 81528 in approximately 1.96 seconds (41493 lines/second) Physical Source Lines of Code (SLOC) = 60272 Hits@level = [0] 598 [1] 135 [2] 588 [3] 17 [4] 14 [5] 0 Hits@level+ = [0+] 1352 [1+] 754 [2+] 619 [3+] 31 [4+] 14 [5+] 0 Hits/KSLOC@level+ = [0+] 22.4316 [1+] 12.51 [2+] 10.2701 [3+] 0.514335 [4+] 0.23228 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.