aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHolger Hans Peter Freyther <holger@moiji-mobile.com>2015-02-08 09:53:44 +0100
committerHolger Hans Peter Freyther <holger@moiji-mobile.com>2015-02-08 09:56:31 +0100
commita0735ecab558ea1759a8262eff62865bbed01051 (patch)
treecc3c1db68c861db846fc747201358dbb939a4ecf
parent60e073e28d5e52f8eb4feaa422abc71b8b9f831b (diff)
smpp: Fix potential crash in handling submitSM
In case: * No message_payload and a 0 sm_length was used * esm_class indicates UDH being present * 7bit encoding was requested The code would execute: ud_len = *sms_msg + 1; Which is a NULL pointer dereference and would lead to a crash of the NITB. Enforce the limits of the sm_length parameter and reject the messae otherwise. Fixes: Coverity CID 1042373
-rw-r--r--openbsc/src/libmsc/smpp_openbsc.c7
1 files changed, 4 insertions, 3 deletions
diff --git a/openbsc/src/libmsc/smpp_openbsc.c b/openbsc/src/libmsc/smpp_openbsc.c
index ff5ab400e..b17222fb4 100644
--- a/openbsc/src/libmsc/smpp_openbsc.c
+++ b/openbsc/src/libmsc/smpp_openbsc.c
@@ -114,12 +114,13 @@ static int submit_to_sms(struct gsm_sms **psms, struct gsm_network *net,
}
sms_msg = t->value.octet;
sms_msg_len = t->length;
- } else if (submit->sm_length) {
+ } else if (submit->sm_length > 0 && submit->sm_length < 255) {
sms_msg = submit->short_message;
sms_msg_len = submit->sm_length;
} else {
- sms_msg = NULL;
- sms_msg_len = 0;
+ LOGP(DLSMS, LOGL_ERROR,
+ "SMPP neither message payload nor valid sm_length.\n");
+ return ESME_RINVPARLEN;
}
sms = sms_alloc();