cellular-infrastructure
/
osmo-msc
mirror of https://gerrit.osmocom.org/osmo-msc
9
0
Fork 0
Code Issues Releases Wiki Activity

smpp_mirror: Don't allocate msgb's for unrealistic amounts of memory 

If the remote ESME would send us 0xffffffff as length field, don't try
to allocte 4GB of memory, but bail out.

Change-Id: I561f75210811826de06ea1673eca1df24faaa210
Fixes: CID#240738
This commit is contained in:
Harald Welte 2021-10-25 08:18:58 +02:00 committed by laforge
parent 065b23ae5b
commit 890ece1277
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/utils/smpp_mirror.c
View File

@ -246,6 +246,10 @@ static int esme_read_cb(struct osmo_fd *ofd)
esme->read_idx += rc;
if (esme->read_idx >= sizeof(uint32_t)) {
esme->read_len = ntohl(len);
if (esme->read_len > 65535) {
/* unrealistic */
goto dead_socket;
}
msg = msgb_alloc(esme->read_len, "SMPP Rx");
if (!msg)
return -ENOMEM;
@ -283,6 +287,7 @@ dead_socket:
osmo_fd_unregister(&esme->wqueue.bfd);
close(esme->wqueue.bfd.fd);
esme->wqueue.bfd.fd = -1;
esme_read_state_reset(esme);
exit(2342);
return 0;