diff options
author | Oliver Smith <osmith@sysmocom.de> | 2023-06-22 12:15:15 +0200 |
---|---|---|
committer | Oliver Smith <osmith@sysmocom.de> | 2023-06-22 12:15:15 +0200 |
commit | 6a8dae666ccbc6a11b4ca5763832c5a5aa12bcf7 (patch) | |
tree | 2daf91ae1da9c8bc4875175c7b45829a5c23b96d /src/libsmpputil | |
parent | d0980a4e8b1e1a1db8bece18c31ecfd3b13cc8b9 (diff) |
smpp_msc: submit_to_sms: check ud_len > sms_msg_len
Fixes: CID#240727
Change-Id: Ie01ac84816f6ac3ba5631a643d486fb0dfb05eb2
Diffstat (limited to 'src/libsmpputil')
-rw-r--r-- | src/libsmpputil/smpp_msc.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/libsmpputil/smpp_msc.c b/src/libsmpputil/smpp_msc.c index 87cab0087..fed5858b0 100644 --- a/src/libsmpputil/smpp_msc.c +++ b/src/libsmpputil/smpp_msc.c @@ -245,6 +245,12 @@ static int submit_to_sms(struct gsm_sms **psms, struct gsm_network *net, sms->data_coding_scheme = GSM338_DCS_1111_7BIT; if (sms->ud_hdr_ind) { ud_len = *sms_msg + 1; + if (ud_len > sms_msg_len) { + sms_free(sms); + LOGP(DLSMS, LOGL_ERROR, "invalid ud_len=%u > sms_msg_len=%u\n", ud_len, + sms_msg_len); + return ESME_RINVPARLEN; + } printf("copying %u bytes user data...\n", ud_len); memcpy(sms->user_data, sms_msg, OSMO_MIN(ud_len, sizeof(sms->user_data))); |