libmsc: gsm340_gen_oa_sub() may return negative value

gsm340_gen_oa() returns a negative value if the output buffer that the caller passes is too small, so we have to check the return value of this function. Fixes: CID 174178 Fixes: CID 174179 Change-Id: I47215d7d89771730a7f84efa8aeeb187a0911fdb
2017-08-10 09:38:58 +02:00 · 2017-08-10 09:38:58 +02:00 · 4b50924fe8
parent 27aed14892
commit 4b50924fe8
1 changed files with 9 additions and 2 deletions
--- a/src/libmsc/gsm_04_11.c
+++ b/src/libmsc/gsm_04_11.c
@ -215,9 +215,9 @@ static int gsm340_gen_sms_deliver_tpdu(struct msgb *msg, struct gsm_sms *sms)
 {
 	uint8_t *smsp;
 	uint8_t oa[12];	/* max len per 03.40 */
-	uint8_t oa_len = 0;
 	uint8_t octet_len;
 	unsigned int old_msg_len = msg->len;
+	int oa_len;

 	/* generate first octet with masked bits */
 	smsp = msgb_put(msg, 1);
@ -235,6 +235,9 @@ static int gsm340_gen_sms_deliver_tpdu(struct msgb *msg, struct gsm_sms *sms)

 	/* generate originator address */
 	oa_len = gsm340_gen_oa_sub(oa, sizeof(oa), &sms->src);
+	if (oa_len < 0)
+		return -ENOSPC;
+
 	smsp = msgb_put(msg, oa_len);
 	memcpy(smsp, oa, oa_len);

@ -284,9 +287,9 @@ static int gsm340_gen_sms_status_report_tpdu(struct msgb *msg,
 					     struct gsm_sms *sms)
 {
 	unsigned int old_msg_len = msg->len;
-	uint8_t oa_len = 0;
 	uint8_t oa[12];	/* max len per 03.40 */
 	uint8_t *smsp;
+	int oa_len;

 	/* generate first octet with masked bits */
 	smsp = msgb_put(msg, 1);
@ -298,8 +301,12 @@ static int gsm340_gen_sms_status_report_tpdu(struct msgb *msg,
 	/* TP-MR (message reference) */
 	smsp = msgb_put(msg, 1);
 	*smsp = sms->msg_ref;
+
 	/* generate recipient address */
 	oa_len = gsm340_gen_oa_sub(oa, sizeof(oa), &sms->dst);
+	if (oa_len < 0)
+		return -ENOSPC;
+
 	smsp = msgb_put(msg, oa_len);
 	memcpy(smsp, oa, oa_len);