From a0735ecab558ea1759a8262eff62865bbed01051 Mon Sep 17 00:00:00 2001 From: Holger Hans Peter Freyther Date: Sun, 8 Feb 2015 09:53:44 +0100 Subject: [PATCH] smpp: Fix potential crash in handling submitSM In case: * No message_payload and a 0 sm_length was used * esm_class indicates UDH being present * 7bit encoding was requested The code would execute: ud_len = *sms_msg + 1; Which is a NULL pointer dereference and would lead to a crash of the NITB. Enforce the limits of the sm_length parameter and reject the messae otherwise. Fixes: Coverity CID 1042373 --- openbsc/src/libmsc/smpp_openbsc.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/openbsc/src/libmsc/smpp_openbsc.c b/openbsc/src/libmsc/smpp_openbsc.c index ff5ab400e..b17222fb4 100644 --- a/openbsc/src/libmsc/smpp_openbsc.c +++ b/openbsc/src/libmsc/smpp_openbsc.c @@ -114,12 +114,13 @@ static int submit_to_sms(struct gsm_sms **psms, struct gsm_network *net, } sms_msg = t->value.octet; sms_msg_len = t->length; - } else if (submit->sm_length) { + } else if (submit->sm_length > 0 && submit->sm_length < 255) { sms_msg = submit->short_message; sms_msg_len = submit->sm_length; } else { - sms_msg = NULL; - sms_msg_len = 0; + LOGP(DLSMS, LOGL_ERROR, + "SMPP neither message payload nor valid sm_length.\n"); + return ESME_RINVPARLEN; } sms = sms_alloc();