smpp: Fix potential crash in handling submitSM In case: * No message_payload and a 0 sm_length was used * esm_class indicates UDH being present * 7bit encoding was requested The code would execute: ud_len = *sms_msg + 1; Which is a NULL pointer dereference and would lead to a crash of the NITB. Enforce the limits of the sm_length parameter and reject the messae otherwise. Fixes: Coverity CID 1042373

commit: dc50388c416bde0785e33a850eafde943b9b6fdf [log] [tgz]
author: Holger Hans Peter Freyther <holger@moiji-mobile.com> Sun Feb 08 09:53:44 2015 +0100
committer: Holger Hans Peter Freyther <holger@moiji-mobile.com> Sun Feb 08 09:56:31 2015 +0100
tree: cc3c1db68c861db846fc747201358dbb939a4ecf
parent: 4c6b4b9ab66273a9b03f9754efc3dddebe035732 [diff] [blame]
diff --git a/openbsc/src/libmsc/smpp_openbsc.c b/openbsc/src/libmsc/smpp_openbsc.c
index ff5ab40..b17222f 100644
--- a/openbsc/src/libmsc/smpp_openbsc.c
+++ b/openbsc/src/libmsc/smpp_openbsc.c

@@ -114,12 +114,13 @@
 		}
 		sms_msg = t->value.octet;
 		sms_msg_len = t->length;
-	} else if (submit->sm_length) {
+	} else if (submit->sm_length > 0 && submit->sm_length < 255) {
 		sms_msg = submit->short_message;
 		sms_msg_len = submit->sm_length;
 	} else {
-		sms_msg = NULL;
-		sms_msg_len = 0;
+		LOGP(DLSMS, LOGL_ERROR,
+			"SMPP neither message payload nor valid sm_length.\n");
+		return ESME_RINVPARLEN;
 	}
 
 	sms = sms_alloc();
commit	dc50388c416bde0785e33a850eafde943b9b6fdf	[log] [tgz]
author	Holger Hans Peter Freyther <holger@moiji-mobile.com>	Sun Feb 08 09:53:44 2015 +0100
committer	Holger Hans Peter Freyther <holger@moiji-mobile.com>	Sun Feb 08 09:56:31 2015 +0100
tree	cc3c1db68c861db846fc747201358dbb939a4ecf
parent	4c6b4b9ab66273a9b03f9754efc3dddebe035732 [diff] [blame]