smpp_smsc: Check that the size is large enough to hold actual data The first 4 bytes are the length including the length field. For length < 4 the subsequent msgb_put(msg, sizeof(uint32_t)) will fail, resulting in an abort. The code also expects (in smpp_msgb_cmdid()) the existence of 4 more bytes for the SMPP command ID. This patch checks that the length received is large enough to hold all 8 bytes in the msgb and drops the connection if that's not the case. The issue is reproducible with: echo -e "\x00\x00\x00\x02\x00" |socat stdin tcp:localhost:2775

commit: b6f01e77b1b270f2ee9b193be01599ce31728991 [log] [tgz]
author: Daniel Willmann <dwillmann@sysmocom.de> Fri Jan 17 15:17:36 2014 +0100
committer: Holger Hans Peter Freyther <holger@moiji-mobile.com> Thu Mar 06 23:20:30 2014 +0100
tree: 0fae2fb68b9a78f695fea64a416bf50553b4c970
parent: a4540b2c3bd9875d311d065f1f912e21758b7ae4 [diff] [blame]
diff --git a/openbsc/src/libmsc/smpp_smsc.c b/openbsc/src/libmsc/smpp_smsc.c
index 1e9829b..605bdd5 100644
--- a/openbsc/src/libmsc/smpp_smsc.c
+++ b/openbsc/src/libmsc/smpp_smsc.c

@@ -803,6 +803,12 @@
 
 		if (esme->read_idx >= sizeof(uint32_t)) {
 			esme->read_len = ntohl(len);
+			if (esme->read_len < 8) {
+				LOGP(DSMPP, LOGL_ERROR, "[%s] read length too small %u\n",
+						esme->system_id, esme->read_len);
+				goto dead_socket;
+			}
+
 			msg = msgb_alloc(esme->read_len, "SMPP Rx");
 			if (!msg)
 				return -ENOMEM;
commit	b6f01e77b1b270f2ee9b193be01599ce31728991	[log] [tgz]
author	Daniel Willmann <dwillmann@sysmocom.de>	Fri Jan 17 15:17:36 2014 +0100
committer	Holger Hans Peter Freyther <holger@moiji-mobile.com>	Thu Mar 06 23:20:30 2014 +0100
tree	0fae2fb68b9a78f695fea64a416bf50553b4c970
parent	a4540b2c3bd9875d311d065f1f912e21758b7ae4 [diff] [blame]