smpp_msc: submit_to_sms: check ud_len > sms_msg_len

Fixes: CID#240727 Change-Id: Ie01ac84816f6ac3ba5631a643d486fb0dfb05eb2
author: Oliver Smith <osmith@sysmocom.de> 2023-06-22 12:15:15 +0200
committer: Oliver Smith <osmith@sysmocom.de> 2023-06-22 12:15:15 +0200
commit: 6a8dae666ccbc6a11b4ca5763832c5a5aa12bcf7 (patch)
tree: 2daf91ae1da9c8bc4875175c7b45829a5c23b96d /src/libsmpputil
parent: d0980a4e8b1e1a1db8bece18c31ecfd3b13cc8b9 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/src/libsmpputil/smpp_msc.c b/src/libsmpputil/smpp_msc.c
index 87cab0087..fed5858b0 100644
--- a/src/libsmpputil/smpp_msc.c
+++ b/src/libsmpputil/smpp_msc.c
@@ -245,6 +245,12 @@ static int submit_to_sms(struct gsm_sms **psms, struct gsm_network *net,
 		sms->data_coding_scheme = GSM338_DCS_1111_7BIT;
 		if (sms->ud_hdr_ind) {
 			ud_len = *sms_msg + 1;
+			if (ud_len > sms_msg_len) {
+				sms_free(sms);
+				LOGP(DLSMS, LOGL_ERROR, "invalid ud_len=%u > sms_msg_len=%u\n", ud_len,
+				     sms_msg_len);
+				return ESME_RINVPARLEN;
+			}
 			printf("copying %u bytes user data...\n", ud_len);
 			memcpy(sms->user_data, sms_msg,
 				OSMO_MIN(ud_len, sizeof(sms->user_data)));
author	Oliver Smith <osmith@sysmocom.de>	2023-06-22 12:15:15 +0200
committer	Oliver Smith <osmith@sysmocom.de>	2023-06-22 12:15:15 +0200
commit	6a8dae666ccbc6a11b4ca5763832c5a5aa12bcf7 (patch)
tree	2daf91ae1da9c8bc4875175c7b45829a5c23b96d /src/libsmpputil
parent	d0980a4e8b1e1a1db8bece18c31ecfd3b13cc8b9 (diff)