diff options
author | Daniel Willmann <dwillmann@sysmocom.de> | 2014-01-17 15:17:36 +0100 |
---|---|---|
committer | Holger Hans Peter Freyther <holger@moiji-mobile.com> | 2014-03-06 23:20:30 +0100 |
commit | 1fc8ec66a3e59e806b6a1b926443365527ea63c2 (patch) | |
tree | 4a7328c72904f56d61c0b14d2a6af4f6d3005dd2 /openbsc/tests/smpp_test_runner.py | |
parent | b6f01e77b1b270f2ee9b193be01599ce31728991 (diff) |
smpp_smsc: Fix integer overflow in read return value and msgb_alloc()
The size parameter of msgb_alloc is uint16_t so any length value above
65535 will allocate a msgb with incorrect size.
This patch changes the type of rdlen and rc to ssize_t (the return value
of read) and guards against the read length being larger than
UINT16_MAX.
To reproduce the issue run:
echo -en "\x00\x01\x00\x01\x01" |socat stdin tcp:localhost:2775
Diffstat (limited to 'openbsc/tests/smpp_test_runner.py')
0 files changed, 0 insertions, 0 deletions