diff options
author | Daniel Willmann <dwillmann@sysmocom.de> | 2014-01-17 15:17:36 +0100 |
---|---|---|
committer | Holger Hans Peter Freyther <holger@moiji-mobile.com> | 2014-03-06 23:20:30 +0100 |
commit | b6f01e77b1b270f2ee9b193be01599ce31728991 (patch) | |
tree | 0fae2fb68b9a78f695fea64a416bf50553b4c970 | |
parent | a4540b2c3bd9875d311d065f1f912e21758b7ae4 (diff) |
smpp_smsc: Check that the size is large enough to hold actual data
The first 4 bytes are the length including the length field. For
length < 4 the subsequent msgb_put(msg, sizeof(uint32_t)) will fail,
resulting in an abort. The code also expects (in smpp_msgb_cmdid()) the
existence of 4 more bytes for the SMPP command ID.
This patch checks that the length received is large enough to hold all
8 bytes in the msgb and drops the connection if that's not the case.
The issue is reproducible with:
echo -e "\x00\x00\x00\x02\x00" |socat stdin tcp:localhost:2775
-rw-r--r-- | openbsc/src/libmsc/smpp_smsc.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/openbsc/src/libmsc/smpp_smsc.c b/openbsc/src/libmsc/smpp_smsc.c index 1e9829bae..605bdd5fa 100644 --- a/openbsc/src/libmsc/smpp_smsc.c +++ b/openbsc/src/libmsc/smpp_smsc.c @@ -803,6 +803,12 @@ static int esme_link_read_cb(struct osmo_fd *ofd) if (esme->read_idx >= sizeof(uint32_t)) { esme->read_len = ntohl(len); + if (esme->read_len < 8) { + LOGP(DSMPP, LOGL_ERROR, "[%s] read length too small %u\n", + esme->system_id, esme->read_len); + goto dead_socket; + } + msg = msgb_alloc(esme->read_len, "SMPP Rx"); if (!msg) return -ENOMEM; |