[S] Change in osmo-msc[master]: smpp_msc: submit_to_sms: check ud_len > sms_msg_len

23 Jun 2023

osmith has submitted this change. ( https://gerrit.osmocom.org/c/osmo-msc/+/33397 )
Change subject: smpp_msc: submit_to_sms: check ud_len > sms_msg_len
......................................................................
smpp_msc: submit_to_sms: check ud_len > sms_msg_len
Fixes: CID#240727
Change-Id: Ie01ac84816f6ac3ba5631a643d486fb0dfb05eb2
---
M src/libsmpputil/smpp_msc.c
1 file changed, 16 insertions(+), 0 deletions(-)
Approvals:
  Jenkins Builder: Verified
  pespin: Looks good to me, but someone else must approve
  fixeria: Looks good to me, approved

diff --git a/src/libsmpputil/smpp_msc.c b/src/libsmpputil/smpp_msc.c
index 87cab00..fed5858 100644
--- a/src/libsmpputil/smpp_msc.c
+++ b/src/libsmpputil/smpp_msc.c
@@ -245,6 +245,12 @@
    	sms->data_coding_scheme = GSM338_DCS_1111_7BIT;
    	if (sms->ud_hdr_ind) {
    		ud_len = *sms_msg + 1;
+			if (ud_len > sms_msg_len) {
+				sms_free(sms);
+				LOGP(DLSMS, LOGL_ERROR, "invalid ud_len=%u > sms_msg_len=%u\n", ud_len,
+				     sms_msg_len);
+				return ESME_RINVPARLEN;
+			}
    		printf("copying %u bytes user data...\n", ud_len);
    		memcpy(sms->user_data, sms_msg,
    			OSMO_MIN(ud_len, sizeof(sms->user_data)));
-- 
To view, visit https://gerrit.osmocom.org/c/osmo-msc/+/33397
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: osmo-msc
Gerrit-Branch: master
Gerrit-Change-Id: Ie01ac84816f6ac3ba5631a643d486fb0dfb05eb2
Gerrit-Change-Number: 33397
Gerrit-PatchSet: 1
Gerrit-Owner: osmith osmith@sysmocom.de
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: fixeria vyanitskiy@sysmocom.de
Gerrit-Reviewer: osmith osmith@sysmocom.de
Gerrit-Reviewer: pespin pespin@sysmocom.de
Gerrit-MessageType: merged



    

2026

2025

2024

2023

2022

[S] Change in osmo-msc[master]: smpp_msc: submit_to_sms: check ud_len > sms_msg_len