The first four bytes are the length including the length field. For
length < 4 the subsequent msgb_put(msg, sizeof(uint32_t)) will fail,
resulting in an abort.
This patch guards against this problem by closing the connection if the
length received is < 5 (since no payload does not make any sense).
The issue is reproducible with:
echo -e "\x00\x00\x00\x02\x00" |socat stdin tcp:localhost:2775
---
openbsc/src/libmsc/smpp_smsc.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/openbsc/src/libmsc/smpp_smsc.c b/openbsc/src/libmsc/smpp_smsc.c
index 943464f..a3dc311 100644
--- a/openbsc/src/libmsc/smpp_smsc.c
+++ b/openbsc/src/libmsc/smpp_smsc.c
@@ -790,6 +790,12 @@ static int esme_link_read_cb(struct osmo_fd *ofd)
esme->read_idx += rc;
if (esme->read_idx >= sizeof(uint32_t)) {
esme->read_len = ntohl(len);
+ if (esme->read_len <= 4) {
+ LOGP(DSMPP, LOGL_ERROR, "[%s] read length too small %d\n",
+ esme->system_id, esme->read_len);
+ goto dead_socket;
+ }
+
msg = msgb_alloc(esme->read_len, "SMPP Rx");
if (!msg)
return -ENOMEM;
--
1.8.4.2