diff options
author | Daniel Willmann <dwillmann@sysmocom.de> | 2014-01-17 15:17:36 +0100 |
---|---|---|
committer | Daniel Willmann <daniel@totalueberwachung.de> | 2014-01-28 18:14:22 +0100 |
commit | bd892d26dc1862b86caba0e84993cfc47c421ac0 (patch) | |
tree | 475c74ea4b549899fd6ca46fafa3458001f4320f /openbsc/src/libmgcp | |
parent | c0ee00451e9504dbf2ffdfe14d12fb6873a333a3 (diff) |
smpp_smsc: Check that the size is large enough to hold actual data
The first 4 bytes are the length including the length field. For
length < 4 the subsequent msgb_put(msg, sizeof(uint32_t)) will fail,
resulting in an abort. The code also expects (in smpp_msgb_cmdid()) the
existence of 4 more bytes for the SMPP command ID.
This patch checks that the length received is large enough to hold all
8 bytes in the msgb and drops the connection if that's not the case.
The issue is reproducible with:
echo -e "\x00\x00\x00\x02\x00" |socat stdin tcp:localhost:2775
Diffstat (limited to 'openbsc/src/libmgcp')
0 files changed, 0 insertions, 0 deletions