commit | 1fc8ec66a3e59e806b6a1b926443365527ea63c2 | [log] [tgz] |
---|---|---|
author | Daniel Willmann <dwillmann@sysmocom.de> | Fri Jan 17 15:17:36 2014 +0100 |
committer | Holger Hans Peter Freyther <holger@moiji-mobile.com> | Thu Mar 06 23:20:30 2014 +0100 |
tree | 4a7328c72904f56d61c0b14d2a6af4f6d3005dd2 | |
parent | b6f01e77b1b270f2ee9b193be01599ce31728991 [diff] |
smpp_smsc: Fix integer overflow in read return value and msgb_alloc() The size parameter of msgb_alloc is uint16_t so any length value above 65535 will allocate a msgb with incorrect size. This patch changes the type of rdlen and rc to ssize_t (the return value of read) and guards against the read length being larger than UINT16_MAX. To reproduce the issue run: echo -en "\x00\x01\x00\x01\x01" |socat stdin tcp:localhost:2775