summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDaniel Willmann <dwillmann@sysmocom.de>2014-01-17 15:17:36 +0100
committerDaniel Willmann <daniel@totalueberwachung.de>2014-01-28 18:14:22 +0100
commitbd892d26dc1862b86caba0e84993cfc47c421ac0 (patch)
tree475c74ea4b549899fd6ca46fafa3458001f4320f
parentc0ee00451e9504dbf2ffdfe14d12fb6873a333a3 (diff)
smpp_smsc: Check that the size is large enough to hold actual data
The first 4 bytes are the length including the length field. For length < 4 the subsequent msgb_put(msg, sizeof(uint32_t)) will fail, resulting in an abort. The code also expects (in smpp_msgb_cmdid()) the existence of 4 more bytes for the SMPP command ID. This patch checks that the length received is large enough to hold all 8 bytes in the msgb and drops the connection if that's not the case. The issue is reproducible with: echo -e "\x00\x00\x00\x02\x00" |socat stdin tcp:localhost:2775
-rw-r--r--openbsc/src/libmsc/smpp_smsc.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/openbsc/src/libmsc/smpp_smsc.c b/openbsc/src/libmsc/smpp_smsc.c
index 1e9829b..605bdd5 100644
--- a/openbsc/src/libmsc/smpp_smsc.c
+++ b/openbsc/src/libmsc/smpp_smsc.c
@@ -803,6 +803,12 @@ static int esme_link_read_cb(struct osmo_fd *ofd)
if (esme->read_idx >= sizeof(uint32_t)) {
esme->read_len = ntohl(len);
+ if (esme->read_len < 8) {
+ LOGP(DSMPP, LOGL_ERROR, "[%s] read length too small %u\n",
+ esme->system_id, esme->read_len);
+ goto dead_socket;
+ }
+
msg = msgb_alloc(esme->read_len, "SMPP Rx");
if (!msg)
return -ENOMEM;