diff options
author | Daniel Willmann <dwillmann@sysmocom.de> | 2014-01-17 15:17:36 +0100 |
---|---|---|
committer | Daniel Willmann <daniel@totalueberwachung.de> | 2014-01-28 18:15:15 +0100 |
commit | 3386e4447df52c62fa08374a2e795f00f08b3a1b (patch) | |
tree | e2d12dfef0acda0f8a9dba66073416a87bbf7863 /debian | |
parent | bd892d26dc1862b86caba0e84993cfc47c421ac0 (diff) |
smpp_smsc: Fix integer overflow in read return value and msgb_alloc()daniel/smpp-fixes
The size parameter of msgb_alloc is uint16_t so any length value above
65535 will allocate a msgb with incorrect size.
This patch changes the type of rdlen and rc to ssize_t (the return value
of read) and guards against the read length being larger than
UINT16_MAX.
To reproduce the issue run:
echo -en "\x00\x01\x00\x01\x01" |socat stdin tcp:localhost:2775
Diffstat (limited to 'debian')
0 files changed, 0 insertions, 0 deletions