Etusivu Tutki Apua
Kirjaudu sisään
Kamailio
/
kamailio
peilaus alkaen https://github.com/kamailio/kamailio.git
2
0
Fork 0
Tiedostot Ongelmat 0 Wiki
Selaa lähdekoodia

smsops: safety check for pkg malloc result

- allocated the biggest possible size to simplify the checks
Daniel-Constantin Mierla 9 vuotta sitten
vanhempi
f1e22c24b8
commit
fd01e587ed
1 muutettua tiedostoa jossa 14 lisäystä ja 9 poistoa
Jaettu näkymä Näytä diff tilastot
  1. 14 9
      modules/smsops/smsops_impl.c

+ 14 - 9
modules/smsops/smsops_impl.c
Näytä tiedosto 

@@ -301,7 +301,7 @@ static void EncodeTime(char * buffer) {
 
 // Decode SMS-Body into the given structure:
 
 int decode_3gpp_sms(struct sip_msg *msg) {
 
 	str body;
 
-	int len, j, p = 0;
 
+	int len, blen, j, p = 0;
 
 	// Parse only the body again, if the mesage differs from the last call:
 
 	if (msg->id != current_msg_id) {
 
 		// Extract Message-body and length: taken from RTPEngine's code
 
@@ -385,25 +385,30 @@ int decode_3gpp_sms(struct sip_msg *msg) {
 
 					rp_data->pdu.destination.s = pkg_malloc(rp_data->pdu.destination.len);
 
 					DecodePhoneNumber(&body.s[p], rp_data->pdu.destination.len, rp_data->pdu.destination);
 
 					if (rp_data->pdu.destination.len % 2 == 0) {
 
-						p += rp_data->pdu.destination.len/2;	
+						p += rp_data->pdu.destination.len/2;
 
 					} else {
 
-						p += (rp_data->pdu.destination.len/2)+1;	
+						p += (rp_data->pdu.destination.len/2)+1;
 
 					}
 
-					
+
 
 				}
 
 				rp_data->pdu.pid = (unsigned char)body.s[p++];
 
 				rp_data->pdu.coding = (unsigned char)body.s[p++];
 
 				rp_data->pdu.validity = (unsigned char)body.s[p++];
 
 				len = body.s[p++];
 
 				if (len > 0) {
 
+					blen = 2 + len*4;
 
+					rp_data->pdu.payload.s = pkg_malloc(blen);
 
+					if(rp_data->pdu.payload.s==NULL) {
 
+						LM_ERR("no more pkg\n");
 
+						return -1;
 
+					}
 
+					memset(rp_data->pdu.payload.s, 0, blen);
 
 					// Coding: 7 Bit
 
 					if (rp_data->pdu.coding == 0x00) {
 
 						// We don't care about the extra used bytes here.
 
-						rp_data->pdu.payload.s = pkg_malloc(len);
 
-						rp_data->pdu.payload.len = gsm_to_ascii(&body.s[p], len, rp_data->pdu.payload);
 
+						rp_data->pdu.payload.len = gsm_to_ascii(&body.s[p], blen, rp_data->pdu.payload);
 
 					} else {
 
 						// Length is worst-case 2 * len (UCS2 is 2 Bytes, UTF8 is worst-case 4 Bytes)
 
-						rp_data->pdu.payload.s = pkg_malloc(len*4);
 
 						rp_data->pdu.payload.len = 0;
 
 						while (len > 0) {
 
 							j = (body.s[p] << 8) + body.s[p + 1];
 
@@ -413,11 +418,11 @@ int decode_3gpp_sms(struct sip_msg *msg) {
 
 						}
 
 					}
 
 				}
 
-			}				
+			}
 
 		}
 
 	}
 
 
-	return 1;	
+	return 1;
 
 }
 
 
 int dumpRPData(sms_rp_data_t * rpdata, int level) {