| commit | 3386e4447df52c62fa08374a2e795f00f08b3a1b | [log] [tgz] |
|---|---|---|
| author | Daniel Willmann <dwillmann@sysmocom.de> | Fri Jan 17 15:17:36 2014 +0100 |
| committer | Daniel Willmann <daniel@totalueberwachung.de> | Tue Jan 28 18:15:15 2014 +0100 |
| tree | e2d12dfef0acda0f8a9dba66073416a87bbf7863 | |
| parent | bd892d26dc1862b86caba0e84993cfc47c421ac0 [diff] |
smpp_smsc: Fix integer overflow in read return value and msgb_alloc() The size parameter of msgb_alloc is uint16_t so any length value above 65535 will allocate a msgb with incorrect size. This patch changes the type of rdlen and rc to ssize_t (the return value of read) and guards against the read length being larger than UINT16_MAX. To reproduce the issue run: echo -en "\x00\x01\x00\x01\x01" |socat stdin tcp:localhost:2775