cellular-infrastructure
/
osmo-msc
mirror of https://gerrit.osmocom.org/osmo-msc
9
0
Fork 0
Code Issues Releases Wiki Activity
osmo-msc/openbsc/src/libmsc
History
Daniel Willmann 1fc8ec66a3 smpp_smsc: Fix integer overflow in read return value and msgb_alloc() 
The size parameter of msgb_alloc is uint16_t so any length value above
65535 will allocate a msgb with incorrect size.

This patch changes the type of rdlen and rc to ssize_t (the return value
of read) and guards against the read length being larger than
UINT16_MAX.

To reproduce the issue run:
echo -en "\x00\x01\x00\x01\x01" |socat stdin tcp:localhost:2775
 		2014-03-06 23:20:30 +01:00
..
Makefile.am sms: Increment the RP Message Reference for each transaction 2014-02-20 11:35:56 +01:00
auth.c src: use namespace prefix osmo_* for misc utils 2011-05-07 12:58:59 +02:00
db.c db: Avoid crash we have seen with the dbi code when reading a SMS 2013-12-27 20:20:55 +01:00
gsm_04_08.c sms/dtap: Add log messages to analyse SMS message loss 2014-01-31 11:17:44 +01:00
gsm_04_11.c sms: Do not interfere with the SMS queue from within gsm_04_11 2014-02-24 14:31:39 +01:00
gsm_04_11_helper.c sms: Increment the RP Message Reference for each transaction 2014-02-20 11:35:56 +01:00
gsm_04_80.c ussd: Move to use gsm_7bit_encode_n_ussd for USSD encoding 2013-12-26 22:17:45 +01:00
gsm_subscriber.c db: Remove the struct gsm_network from the database layer 2013-10-13 13:44:54 +02:00
mncc.c misc: Remove sys/types.h includes from the files 2011-04-18 17:31:39 +02:00
mncc_builtin.c Each BTS can be configured for speech support (other than GSM full rate) 2014-01-14 17:37:02 +01:00
mncc_sock.c mncc: Include size and offsets of struct gsm_mncc in the hello 2012-01-15 00:40:42 +01:00
osmo_msc.c sms/dtap: Add log messages to analyse SMS message loss 2014-01-31 11:17:44 +01:00
rrlp.c src: use namespace prefix osmo_signal* 2011-05-06 12:12:31 +02:00
silent_call.c sms/dtap: Add log messages to analyse SMS message loss 2014-01-31 11:17:44 +01:00
smpp_openbsc.c SMPP: UCS2 data_coding is 0x08, not 0x80! 2014-02-21 13:21:03 +01:00
smpp_smsc.c smpp_smsc: Fix integer overflow in read return value and msgb_alloc() 2014-03-06 23:20:30 +01:00
smpp_smsc.h smpp: Move the coding/mode detection into a utils file 2013-07-27 20:03:10 +02:00
smpp_utils.c smpp: Move the coding/mode detection into a utils file 2013-07-27 20:03:10 +02:00
smpp_vty.c vty: Use vty_install_default() instead of bsc_install_default() 2013-10-30 15:19:00 +01:00
sms_queue.c sms: Address the TODO and schedule the next SMS for an active subscriber 2014-02-24 16:13:04 +01:00
token_auth.c libmsc: Allow to set sender id when sending SMS from the VTY 2013-01-01 17:04:38 +01:00
transaction.c libmsc: Set the "trans->conn" to NULL to catch invalid usage 2013-12-27 18:07:23 +01:00
ussd.c ussd: Reject and release unhandled SS requests/interrogation 2013-12-28 17:52:23 +01:00
vty_interface_layer3.c vty: Use vty_install_default() instead of bsc_install_default() 2013-10-30 15:19:00 +01:00