smpp_smsc: Check that the size is large enough to hold actual data
The first 4 bytes are the length including the length field. For length < 4 the subsequent msgb_put(msg, sizeof(uint32_t)) will fail, resulting in an abort. The code also expects (in smpp_msgb_cmdid()) the existence of 4 more bytes for the SMPP command ID. This patch checks that the length received is large enough to hold all 8 bytes in the msgb and drops the connection if that's not the case. The issue is reproducible with: echo -e "\x00\x00\x00\x02\x00" |socat stdin tcp:localhost:2775
This commit is contained in:
parent
a4540b2c3b
commit
b6f01e77b1
|
@ -803,6 +803,12 @@ static int esme_link_read_cb(struct osmo_fd *ofd)
|
||||||
|
|
||||||
if (esme->read_idx >= sizeof(uint32_t)) {
|
if (esme->read_idx >= sizeof(uint32_t)) {
|
||||||
esme->read_len = ntohl(len);
|
esme->read_len = ntohl(len);
|
||||||
|
if (esme->read_len < 8) {
|
||||||
|
LOGP(DSMPP, LOGL_ERROR, "[%s] read length too small %u\n",
|
||||||
|
esme->system_id, esme->read_len);
|
||||||
|
goto dead_socket;
|
||||||
|
}
|
||||||
|
|
||||||
msg = msgb_alloc(esme->read_len, "SMPP Rx");
|
msg = msgb_alloc(esme->read_len, "SMPP Rx");
|
||||||
if (!msg)
|
if (!msg)
|
||||||
return -ENOMEM;
|
return -ENOMEM;
|
||||||
|
|
Loading…
Reference in New Issue