smpp: Fix potential crash in handling submitSM
In case: * No message_payload and a 0 sm_length was used * esm_class indicates UDH being present * 7bit encoding was requested The code would execute: ud_len = *sms_msg + 1; Which is a NULL pointer dereference and would lead to a crash of the NITB. Enforce the limits of the sm_length parameter and reject the messae otherwise. Fixes: Coverity CID 1042373
This commit is contained in:
parent
60e073e28d
commit
a0735ecab5
|
@ -114,12 +114,13 @@ static int submit_to_sms(struct gsm_sms **psms, struct gsm_network *net,
|
|||
}
|
||||
sms_msg = t->value.octet;
|
||||
sms_msg_len = t->length;
|
||||
} else if (submit->sm_length) {
|
||||
} else if (submit->sm_length > 0 && submit->sm_length < 255) {
|
||||
sms_msg = submit->short_message;
|
||||
sms_msg_len = submit->sm_length;
|
||||
} else {
|
||||
sms_msg = NULL;
|
||||
sms_msg_len = 0;
|
||||
LOGP(DLSMS, LOGL_ERROR,
|
||||
"SMPP neither message payload nor valid sm_length.\n");
|
||||
return ESME_RINVPARLEN;
|
||||
}
|
||||
|
||||
sms = sms_alloc();
|
||||
|
|
Loading…
Reference in New Issue