smpp_msc: submit_to_sms: check ud_len > sms_msg_len
Fixes: CID#240727
Change-Id: Ie01ac84816f6ac3ba5631a643d486fb0dfb05eb2
diff --git a/src/libsmpputil/smpp_msc.c b/src/libsmpputil/smpp_msc.c
index 87cab00..fed5858 100644
--- a/src/libsmpputil/smpp_msc.c
+++ b/src/libsmpputil/smpp_msc.c
@@ -245,6 +245,12 @@
sms->data_coding_scheme = GSM338_DCS_1111_7BIT;
if (sms->ud_hdr_ind) {
ud_len = *sms_msg + 1;
+ if (ud_len > sms_msg_len) {
+ sms_free(sms);
+ LOGP(DLSMS, LOGL_ERROR, "invalid ud_len=%u > sms_msg_len=%u\n", ud_len,
+ sms_msg_len);
+ return ESME_RINVPARLEN;
+ }
printf("copying %u bytes user data...\n", ud_len);
memcpy(sms->user_data, sms_msg,
OSMO_MIN(ud_len, sizeof(sms->user_data)));