smpp: Fix potential crash in handling submitSM
In case:
* No message_payload and a 0 sm_length was used
* esm_class indicates UDH being present
* 7bit encoding was requested
The code would execute:
ud_len = *sms_msg + 1;
Which is a NULL pointer dereference and would lead
to a crash of the NITB. Enforce the limits of the
sm_length parameter and reject the messae otherwise.
Fixes: Coverity CID 1042373
diff --git a/openbsc/src/libmsc/smpp_openbsc.c b/openbsc/src/libmsc/smpp_openbsc.c
index ff5ab40..b17222f 100644
--- a/openbsc/src/libmsc/smpp_openbsc.c
+++ b/openbsc/src/libmsc/smpp_openbsc.c
@@ -114,12 +114,13 @@
}
sms_msg = t->value.octet;
sms_msg_len = t->length;
- } else if (submit->sm_length) {
+ } else if (submit->sm_length > 0 && submit->sm_length < 255) {
sms_msg = submit->short_message;
sms_msg_len = submit->sm_length;
} else {
- sms_msg = NULL;
- sms_msg_len = 0;
+ LOGP(DLSMS, LOGL_ERROR,
+ "SMPP neither message payload nor valid sm_length.\n");
+ return ESME_RINVPARLEN;
}
sms = sms_alloc();