paulmataruso/osmo-mgw
1
0
Fork 0
mirror of https://gitea.osmocom.org/cellular-infrastructure/osmo-mgw.git synced 2025-11-03 13:33:29 +00:00
Code Issues Packages Projects Releases Wiki Activity

smpp: Fix potential crash in handling submitSM

Browse Source 
In case:

* No message_payload and a 0 sm_length was used
* esm_class indicates UDH being present
* 7bit encoding was requested

The code would execute:

  ud_len = *sms_msg + 1;

Which is a NULL pointer dereference and would lead
to a crash of the NITB. Enforce the limits of the
sm_length parameter and reject the messae otherwise.

Fixes: Coverity CID 1042373
This commit is contained in:
Holger Hans Peter Freyther
2015-02-08 09:53:44 +01:00
parent 60e073e28d
commit a0735ecab5
1 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
openbsc/src/libmsc/smpp_openbsc.c
View File

@@ -114,12 +114,13 @@ static int submit_to_sms(struct gsm_sms **psms, struct gsm_network *net,
} }
sms_msg = t->value.octet; sms_msg = t->value.octet;
sms_msg_len = t->length; sms_msg_len = t->length;
} else if (submit->sm_length) { } else if (submit->sm_length > 0 && submit->sm_length < 255) {
sms_msg = submit->short_message; sms_msg = submit->short_message;
sms_msg_len = submit->sm_length; sms_msg_len = submit->sm_length;
} else { } else {
sms_msg = NULL; LOGP(DLSMS, LOGL_ERROR,
sms_msg_len = 0; "SMPP neither message payload nor valid sm_length.\n");
return ESME_RINVPARLEN;
} }
sms = sms_alloc(); sms = sms_alloc();