diff options
author | Pablo Neira Ayuso <pablo@gnumonks.org> | 2017-08-10 09:38:58 +0200 |
---|---|---|
committer | Neels Hofmeyr <neels@hofmeyr.de> | 2017-08-27 17:40:55 +0200 |
commit | 0456d2bc328e8e8181639fc6cf7001c787fa8e37 (patch) | |
tree | 26edeab935289a61d1da51393ee976a09f5fc63a /src | |
parent | 170285d236f1dabf9fa5a9b6e2c936099b6592e0 (diff) |
libmsc: gsm340_gen_oa_sub() may return negative value
gsm340_gen_oa() returns a negative value if the output buffer that the
caller passes is too small, so we have to check the return value of this
function.
Fixes: CID 174178
Fixes: CID 174179
Change-Id: I47215d7d89771730a7f84efa8aeeb187a0911fdb
Diffstat (limited to 'src')
-rw-r--r-- | src/libmsc/gsm_04_11.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/src/libmsc/gsm_04_11.c b/src/libmsc/gsm_04_11.c index 261e5cd64..eede74c23 100644 --- a/src/libmsc/gsm_04_11.c +++ b/src/libmsc/gsm_04_11.c @@ -215,9 +215,9 @@ static int gsm340_gen_sms_deliver_tpdu(struct msgb *msg, struct gsm_sms *sms) { uint8_t *smsp; uint8_t oa[12]; /* max len per 03.40 */ - uint8_t oa_len = 0; uint8_t octet_len; unsigned int old_msg_len = msg->len; + int oa_len; /* generate first octet with masked bits */ smsp = msgb_put(msg, 1); @@ -235,6 +235,9 @@ static int gsm340_gen_sms_deliver_tpdu(struct msgb *msg, struct gsm_sms *sms) /* generate originator address */ oa_len = gsm340_gen_oa_sub(oa, sizeof(oa), &sms->src); + if (oa_len < 0) + return -ENOSPC; + smsp = msgb_put(msg, oa_len); memcpy(smsp, oa, oa_len); @@ -284,9 +287,9 @@ static int gsm340_gen_sms_status_report_tpdu(struct msgb *msg, struct gsm_sms *sms) { unsigned int old_msg_len = msg->len; - uint8_t oa_len = 0; uint8_t oa[12]; /* max len per 03.40 */ uint8_t *smsp; + int oa_len; /* generate first octet with masked bits */ smsp = msgb_put(msg, 1); @@ -298,8 +301,12 @@ static int gsm340_gen_sms_status_report_tpdu(struct msgb *msg, /* TP-MR (message reference) */ smsp = msgb_put(msg, 1); *smsp = sms->msg_ref; + /* generate recipient address */ oa_len = gsm340_gen_oa_sub(oa, sizeof(oa), &sms->dst); + if (oa_len < 0) + return -ENOSPC; + smsp = msgb_put(msg, oa_len); memcpy(smsp, oa, oa_len); |