summaryrefslogtreecommitdiffstats
path: root/openbsc/src/libmsc
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@gnumonks.org>2017-08-10 09:38:58 +0200
committerPablo Neira Ayuso <pablo@gnumonks.org>2017-08-10 10:00:30 +0200
commit7fa0bcd928ea1deac9951253850b77492bd4aad9 (patch)
treec8a3872a46915abde7bec72d61238022628fba46 /openbsc/src/libmsc
parentac8ca4cfd19a23131959e88be49b6c56738a38c0 (diff)
libmsc: gsm340_gen_oa_sub() may return negative value
gsm340_gen_oa() returns a negative value if the output buffer that the caller passes is too small, so we have to check the return value of this function. Fixes: CID 174178 Fixes: CID 174179 Change-Id: I47215d7d89771730a7f84efa8aeeb187a0911fdb
Diffstat (limited to 'openbsc/src/libmsc')
-rw-r--r--openbsc/src/libmsc/gsm_04_11.c11
1 files changed, 9 insertions, 2 deletions
diff --git a/openbsc/src/libmsc/gsm_04_11.c b/openbsc/src/libmsc/gsm_04_11.c
index 73e0f554e..8b4ffce0f 100644
--- a/openbsc/src/libmsc/gsm_04_11.c
+++ b/openbsc/src/libmsc/gsm_04_11.c
@@ -213,9 +213,9 @@ static int gsm340_gen_sms_deliver_tpdu(struct msgb *msg, struct gsm_sms *sms)
{
uint8_t *smsp;
uint8_t oa[12]; /* max len per 03.40 */
- uint8_t oa_len = 0;
uint8_t octet_len;
unsigned int old_msg_len = msg->len;
+ int oa_len;
/* generate first octet with masked bits */
smsp = msgb_put(msg, 1);
@@ -233,6 +233,9 @@ static int gsm340_gen_sms_deliver_tpdu(struct msgb *msg, struct gsm_sms *sms)
/* generate originator address */
oa_len = gsm340_gen_oa_sub(oa, sizeof(oa), &sms->src);
+ if (oa_len < 0)
+ return -ENOSPC;
+
smsp = msgb_put(msg, oa_len);
memcpy(smsp, oa, oa_len);
@@ -282,9 +285,9 @@ static int gsm340_gen_sms_status_report_tpdu(struct msgb *msg,
struct gsm_sms *sms)
{
unsigned int old_msg_len = msg->len;
- uint8_t oa_len = 0;
uint8_t oa[12]; /* max len per 03.40 */
uint8_t *smsp;
+ int oa_len;
/* generate first octet with masked bits */
smsp = msgb_put(msg, 1);
@@ -296,8 +299,12 @@ static int gsm340_gen_sms_status_report_tpdu(struct msgb *msg,
/* TP-MR (message reference) */
smsp = msgb_put(msg, 1);
*smsp = sms->msg_ref;
+
/* generate recipient address */
oa_len = gsm340_gen_oa_sub(oa, sizeof(oa), &sms->dst);
+ if (oa_len < 0)
+ return -ENOSPC;
+
smsp = msgb_put(msg, oa_len);
memcpy(smsp, oa, oa_len);