From fc71e6b8d02f765121552cdc1c0ecb4cb842e1ba Mon Sep 17 00:00:00 2001
From: Joshua Brindle <brindle@quarksecurity.com>
Date: Tue, 11 Oct 2016 11:24:27 -0400
Subject: [PATCH 1/3] mismatched delete on buffer, should be free()

---
 UMTS/UMTSRadioModem.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/UMTS/UMTSRadioModem.cpp b/UMTS/UMTSRadioModem.cpp
index 7194f49..f660cbb 100644
--- a/UMTS/UMTSRadioModem.cpp
+++ b/UMTS/UMTSRadioModem.cpp
@@ -1211,7 +1211,7 @@ void RadioModem::transmitSlot(UMTS::Time nowTime, bool &underrun)
 
   // write to the socket
   mDataSocket.write(buffer,bufferSize);
-  delete []buffer;
+  free(buffer);
 
   mLastTransmitTime = nowTime;
   //LOG(INFO) << LOGVAR(mLastTransmitTime) <<LOGVAR2("clock.FN",gNodeB.clock().FN());

From bee54f00a25a693dd8c4b0aa518b0ed558435dd0 Mon Sep 17 00:00:00 2001
From: Joshua Brindle <brindle@quarksecurity.com>
Date: Tue, 11 Oct 2016 14:28:33 -0400
Subject: [PATCH 2/3] Fix invalid read on sockfile config

Accessing the return from function().c_str() is undefined behavior
because the value returned is stored in a temporary object and
may not be valid anymore.

Please see:
https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=29032683
---
 apps/OpenBTS-UMTS.cpp | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/apps/OpenBTS-UMTS.cpp b/apps/OpenBTS-UMTS.cpp
index 480ae35..901c95e 100644
--- a/apps/OpenBTS-UMTS.cpp
+++ b/apps/OpenBTS-UMTS.cpp
@@ -260,11 +260,11 @@ int main(int argc, char *argv[])
 
 	struct sockaddr_un cmdSockName;
 	cmdSockName.sun_family = AF_UNIX;
-	const char* sockpath = gConfig.getStr("CLI.SocketPath").c_str();
-	char rmcmd[strlen(sockpath)+5];
-	sprintf(rmcmd,"rm -f %s",sockpath);
+	const string sockpath = gConfig.getStr("CLI.SocketPath");
+	char rmcmd[strlen(sockpath.c_str())+5];
+	sprintf(rmcmd,"rm -f %s",sockpath.c_str());
 	if (system(rmcmd)) {}	// The 'if' shuts up gcc warnings.
-	strcpy(cmdSockName.sun_path,sockpath);
+	strcpy(cmdSockName.sun_path,sockpath.c_str());
 	LOG(INFO) "binding CLI datagram socket at " << sockpath;
 	if (bind(sock, (struct sockaddr *) &cmdSockName, sizeof(struct sockaddr_un))) {
 		perror("binding name to cmd datagram socket");

From 2b37707bc95c917a6af42782c700fb2135ce93c4 Mon Sep 17 00:00:00 2001
From: Joshua Brindle <brindle@quarksecurity.com>
Date: Tue, 11 Oct 2016 15:28:33 -0400
Subject: [PATCH 3/3] Properly unlink CLI sock file instead of using system()

---
 apps/OpenBTS-UMTS.cpp | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/apps/OpenBTS-UMTS.cpp b/apps/OpenBTS-UMTS.cpp
index 901c95e..8ff2b37 100644
--- a/apps/OpenBTS-UMTS.cpp
+++ b/apps/OpenBTS-UMTS.cpp
@@ -35,6 +35,7 @@ ConfigurationTable gConfig("/etc/OpenBTS/OpenBTS-UMTS.db","OpenBTS-UMTS", getCon
 #include <unistd.h>
 #include <string.h>
 #include <signal.h>
+#include <errno.h>
 
 #ifdef HAVE_LIBREADLINE // [
 //#  include <stdio.h>
@@ -261,9 +262,13 @@ int main(int argc, char *argv[])
 	struct sockaddr_un cmdSockName;
 	cmdSockName.sun_family = AF_UNIX;
 	const string sockpath = gConfig.getStr("CLI.SocketPath");
-	char rmcmd[strlen(sockpath.c_str())+5];
-	sprintf(rmcmd,"rm -f %s",sockpath.c_str());
-	if (system(rmcmd)) {}	// The 'if' shuts up gcc warnings.
+	int rc = unlink(sockpath.c_str());
+	if (rc == -1) {
+		// If it does not exist just move on, otherwise say something
+		if (errno != ENOENT) {
+			LOG(ALERT) << "Cannot delete CLI sock file, error: " << strerror(errno);
+		}
+	}	
 	strcpy(cmdSockName.sun_path,sockpath.c_str());
 	LOG(INFO) "binding CLI datagram socket at " << sockpath;
 	if (bind(sock, (struct sockaddr *) &cmdSockName, sizeof(struct sockaddr_un))) {