This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/OpenBSC@lists.osmocom.org/.
Daniel Willmann dwillmann at sysmocom.deThe first four bytes are the length including the length field. For length < 4 the subsequent msgb_put(msg, sizeof(uint32_t)) will fail, resulting in an abort. This patch guards against this problem by closing the connection if the length received is < 5 (since no payload does not make any sense). The issue is reproducible with: echo -e "\x00\x00\x00\x02\x00" |socat stdin tcp:localhost:2775 --- openbsc/src/libmsc/smpp_smsc.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/openbsc/src/libmsc/smpp_smsc.c b/openbsc/src/libmsc/smpp_smsc.c index 943464f..a3dc311 100644 --- a/openbsc/src/libmsc/smpp_smsc.c +++ b/openbsc/src/libmsc/smpp_smsc.c @@ -790,6 +790,12 @@ static int esme_link_read_cb(struct osmo_fd *ofd) esme->read_idx += rc; if (esme->read_idx >= sizeof(uint32_t)) { esme->read_len = ntohl(len); + if (esme->read_len <= 4) { + LOGP(DSMPP, LOGL_ERROR, "[%s] read length too small %d\n", + esme->system_id, esme->read_len); + goto dead_socket; + } + msg = msgb_alloc(esme->read_len, "SMPP Rx"); if (!msg) return -ENOMEM; -- 1.8.4.2