diff options
author | Harald Welte <laforge@osmocom.org> | 2021-10-25 08:18:58 +0200 |
---|---|---|
committer | laforge <laforge@osmocom.org> | 2021-10-25 09:58:51 +0000 |
commit | 890ece12776f11da20bb6f7c36392fc60d1393cc (patch) | |
tree | 777b52d89bf5032062a60f97aa6472efe9ee99c0 | |
parent | 065b23ae5b38a986e8fe4309bfc03dc979c62c41 (diff) |
smpp_mirror: Don't allocate msgb's for unrealistic amounts of memory
If the remote ESME would send us 0xffffffff as length field, don't try
to allocte 4GB of memory, but bail out.
Change-Id: I561f75210811826de06ea1673eca1df24faaa210
Fixes: CID#240738
-rw-r--r-- | src/utils/smpp_mirror.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/src/utils/smpp_mirror.c b/src/utils/smpp_mirror.c index 883c498d7..72d15e39d 100644 --- a/src/utils/smpp_mirror.c +++ b/src/utils/smpp_mirror.c @@ -246,6 +246,10 @@ static int esme_read_cb(struct osmo_fd *ofd) esme->read_idx += rc; if (esme->read_idx >= sizeof(uint32_t)) { esme->read_len = ntohl(len); + if (esme->read_len > 65535) { + /* unrealistic */ + goto dead_socket; + } msg = msgb_alloc(esme->read_len, "SMPP Rx"); if (!msg) return -ENOMEM; @@ -283,6 +287,7 @@ dead_socket: osmo_fd_unregister(&esme->wqueue.bfd); close(esme->wqueue.bfd.fd); esme->wqueue.bfd.fd = -1; + esme_read_state_reset(esme); exit(2342); return 0; |