diff options
author | Pablo Neira Ayuso <pablo@gnumonks.org> | 2017-08-10 09:38:58 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@gnumonks.org> | 2017-08-10 10:00:30 +0200 |
commit | 7fa0bcd928ea1deac9951253850b77492bd4aad9 (patch) | |
tree | c8a3872a46915abde7bec72d61238022628fba46 | |
parent | ac8ca4cfd19a23131959e88be49b6c56738a38c0 (diff) |
libmsc: gsm340_gen_oa_sub() may return negative value
gsm340_gen_oa() returns a negative value if the output buffer that the
caller passes is too small, so we have to check the return value of this
function.
Fixes: CID 174178
Fixes: CID 174179
Change-Id: I47215d7d89771730a7f84efa8aeeb187a0911fdb
-rw-r--r-- | openbsc/src/libmsc/gsm_04_11.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/openbsc/src/libmsc/gsm_04_11.c b/openbsc/src/libmsc/gsm_04_11.c index 73e0f554e..8b4ffce0f 100644 --- a/openbsc/src/libmsc/gsm_04_11.c +++ b/openbsc/src/libmsc/gsm_04_11.c @@ -213,9 +213,9 @@ static int gsm340_gen_sms_deliver_tpdu(struct msgb *msg, struct gsm_sms *sms) { uint8_t *smsp; uint8_t oa[12]; /* max len per 03.40 */ - uint8_t oa_len = 0; uint8_t octet_len; unsigned int old_msg_len = msg->len; + int oa_len; /* generate first octet with masked bits */ smsp = msgb_put(msg, 1); @@ -233,6 +233,9 @@ static int gsm340_gen_sms_deliver_tpdu(struct msgb *msg, struct gsm_sms *sms) /* generate originator address */ oa_len = gsm340_gen_oa_sub(oa, sizeof(oa), &sms->src); + if (oa_len < 0) + return -ENOSPC; + smsp = msgb_put(msg, oa_len); memcpy(smsp, oa, oa_len); @@ -282,9 +285,9 @@ static int gsm340_gen_sms_status_report_tpdu(struct msgb *msg, struct gsm_sms *sms) { unsigned int old_msg_len = msg->len; - uint8_t oa_len = 0; uint8_t oa[12]; /* max len per 03.40 */ uint8_t *smsp; + int oa_len; /* generate first octet with masked bits */ smsp = msgb_put(msg, 1); @@ -296,8 +299,12 @@ static int gsm340_gen_sms_status_report_tpdu(struct msgb *msg, /* TP-MR (message reference) */ smsp = msgb_put(msg, 1); *smsp = sms->msg_ref; + /* generate recipient address */ oa_len = gsm340_gen_oa_sub(oa, sizeof(oa), &sms->dst); + if (oa_len < 0) + return -ENOSPC; + smsp = msgb_put(msg, oa_len); memcpy(smsp, oa, oa_len); |