smpp_mirror: Don't allocate msgb's for unrealistic amounts of memory
If the remote ESME would send us 0xffffffff as length field, don't try to allocte 4GB of memory, but bail out. Change-Id: I561f75210811826de06ea1673eca1df24faaa210 Fixes: CID#240738
This commit is contained in:
parent
065b23ae5b
commit
890ece1277
|
@ -246,6 +246,10 @@ static int esme_read_cb(struct osmo_fd *ofd)
|
||||||
esme->read_idx += rc;
|
esme->read_idx += rc;
|
||||||
if (esme->read_idx >= sizeof(uint32_t)) {
|
if (esme->read_idx >= sizeof(uint32_t)) {
|
||||||
esme->read_len = ntohl(len);
|
esme->read_len = ntohl(len);
|
||||||
|
if (esme->read_len > 65535) {
|
||||||
|
/* unrealistic */
|
||||||
|
goto dead_socket;
|
||||||
|
}
|
||||||
msg = msgb_alloc(esme->read_len, "SMPP Rx");
|
msg = msgb_alloc(esme->read_len, "SMPP Rx");
|
||||||
if (!msg)
|
if (!msg)
|
||||||
return -ENOMEM;
|
return -ENOMEM;
|
||||||
|
@ -283,6 +287,7 @@ dead_socket:
|
||||||
osmo_fd_unregister(&esme->wqueue.bfd);
|
osmo_fd_unregister(&esme->wqueue.bfd);
|
||||||
close(esme->wqueue.bfd.fd);
|
close(esme->wqueue.bfd.fd);
|
||||||
esme->wqueue.bfd.fd = -1;
|
esme->wqueue.bfd.fd = -1;
|
||||||
|
esme_read_state_reset(esme);
|
||||||
exit(2342);
|
exit(2342);
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
|
|
Loading…
Reference in New Issue