Gitiles
Code Review Sign In
gerrit.osmocom.org / osmo-sgsn / b6f01e77b1b270f2ee9b193be01599ce31728991
commitb6f01e77b1b270f2ee9b193be01599ce31728991[log] [tgz]
authorDaniel Willmann <dwillmann@sysmocom.de>Fri Jan 17 15:17:36 2014 +0100
committerHolger Hans Peter Freyther <holger@moiji-mobile.com>Thu Mar 06 23:20:30 2014 +0100
tree0fae2fb68b9a78f695fea64a416bf50553b4c970
parenta4540b2c3bd9875d311d065f1f912e21758b7ae4 [diff]
smpp_smsc: Check that the size is large enough to hold actual data

The first 4 bytes are the length including the length field. For
length < 4 the subsequent msgb_put(msg, sizeof(uint32_t)) will fail,
resulting in an abort. The code also expects (in smpp_msgb_cmdid()) the
existence of 4 more bytes for the SMPP command ID.

This patch checks that the length received is large enough to hold all
8 bytes in the msgb and drops the connection if that's not the case.

The issue is reproducible with:
echo -e "\x00\x00\x00\x02\x00" |socat stdin tcp:localhost:2775
1 file changed
tree: 0fae2fb68b9a78f695fea64a416bf50553b4c970
  1. debian/
  2. hlrsync/
  3. linux-kernel/
  4. openbsc/
  5. wireshark/
  6. README