libmsc: gsm340_gen_oa_sub() may return negative value
gsm340_gen_oa() returns a negative value if the output buffer that the caller passes is too small, so we have to check the return value of this function. Fixes: CID 174178 Fixes: CID 174179 Change-Id: I47215d7d89771730a7f84efa8aeeb187a0911fdb
This commit is contained in:
parent
de16ae8f24
commit
73bb3bbed5
|
@ -215,9 +215,9 @@ static int gsm340_gen_sms_deliver_tpdu(struct msgb *msg, struct gsm_sms *sms)
|
|||
{
|
||||
uint8_t *smsp;
|
||||
uint8_t oa[12]; /* max len per 03.40 */
|
||||
uint8_t oa_len = 0;
|
||||
uint8_t octet_len;
|
||||
unsigned int old_msg_len = msg->len;
|
||||
int oa_len;
|
||||
|
||||
/* generate first octet with masked bits */
|
||||
smsp = msgb_put(msg, 1);
|
||||
|
@ -235,6 +235,9 @@ static int gsm340_gen_sms_deliver_tpdu(struct msgb *msg, struct gsm_sms *sms)
|
|||
|
||||
/* generate originator address */
|
||||
oa_len = gsm340_gen_oa_sub(oa, sizeof(oa), &sms->src);
|
||||
if (oa_len < 0)
|
||||
return -ENOSPC;
|
||||
|
||||
smsp = msgb_put(msg, oa_len);
|
||||
memcpy(smsp, oa, oa_len);
|
||||
|
||||
|
@ -284,9 +287,9 @@ static int gsm340_gen_sms_status_report_tpdu(struct msgb *msg,
|
|||
struct gsm_sms *sms)
|
||||
{
|
||||
unsigned int old_msg_len = msg->len;
|
||||
uint8_t oa_len = 0;
|
||||
uint8_t oa[12]; /* max len per 03.40 */
|
||||
uint8_t *smsp;
|
||||
int oa_len;
|
||||
|
||||
/* generate first octet with masked bits */
|
||||
smsp = msgb_put(msg, 1);
|
||||
|
@ -298,8 +301,12 @@ static int gsm340_gen_sms_status_report_tpdu(struct msgb *msg,
|
|||
/* TP-MR (message reference) */
|
||||
smsp = msgb_put(msg, 1);
|
||||
*smsp = sms->msg_ref;
|
||||
|
||||
/* generate recipient address */
|
||||
oa_len = gsm340_gen_oa_sub(oa, sizeof(oa), &sms->dst);
|
||||
if (oa_len < 0)
|
||||
return -ENOSPC;
|
||||
|
||||
smsp = msgb_put(msg, oa_len);
|
||||
memcpy(smsp, oa, oa_len);
|
||||
|
||||
|
|
Loading…
Reference in New Issue