[sr-dev] git:master:fd01e587: smsops: safety check for pkg malloc result

Module: kamailio Branch: master Commit: fd01e587ed115a21284d27d7f402d51dc6f8743a URL: https://github.com/kamailio/kamailio/commit/fd01e587ed115a21284d27d7f402d51… Author: Daniel-Constantin Mierla &lt;miconda(a)gmail.com&gt; Committer: Daniel-Constantin Mierla &lt;miconda(a)gmail.com&gt; Date: 2016-05-07T08:58:16+02:00 smsops: safety check for pkg malloc result - allocated the biggest possible size to simplify the checks --- Modified: modules/smsops/smsops_impl.c --- Diff: https://github.com/kamailio/kamailio/commit/fd01e587ed115a21284d27d7f402d51… Patch: https://github.com/kamailio/kamailio/commit/fd01e587ed115a21284d27d7f402d51… --- diff --git a/modules/smsops/smsops_impl.c b/modules/smsops/smsops_impl.c index f90e6db..a772f93 100644 --- a/modules/smsops/smsops_impl.c +++ b/modules/smsops/smsops_impl.c @@ -301,7 +301,7 @@ static void EncodeTime(char * buffer) { // Decode SMS-Body into the given structure: int decode_3gpp_sms(struct sip_msg *msg) { str body; - int len, j, p = 0; + int len, blen, j, p = 0; // Parse only the body again, if the mesage differs from the last call: if (msg->id != current_msg_id) { // Extract Message-body and length: taken from RTPEngine's code @@ -385,25 +385,30 @@ int decode_3gpp_sms(struct sip_msg *msg) { rp_data->pdu.destination.s = pkg_malloc(rp_data->pdu.destination.len); DecodePhoneNumber(&body.s[p], rp_data->pdu.destination.len, rp_data->pdu.destination); if (rp_data->pdu.destination.len % 2 == 0) { - p += rp_data->pdu.destination.len/2; + p += rp_data->pdu.destination.len/2; } else { - p += (rp_data->pdu.destination.len/2)+1; + p += (rp_data->pdu.destination.len/2)+1; } - + } rp_data->pdu.pid = (unsigned char)body.s[p++]; rp_data->pdu.coding = (unsigned char)body.s[p++]; rp_data->pdu.validity = (unsigned char)body.s[p++]; len = body.s[p++]; if (len > 0) { + blen = 2 + len*4; + rp_data->pdu.payload.s = pkg_malloc(blen); + if(rp_data->pdu.payload.s==NULL) { + LM_ERR("no more pkg\n"); + return -1; + } + memset(rp_data->pdu.payload.s, 0, blen); // Coding: 7 Bit if (rp_data->pdu.coding == 0x00) { // We don't care about the extra used bytes here. - rp_data->pdu.payload.s = pkg_malloc(len); - rp_data->pdu.payload.len = gsm_to_ascii(&body.s[p], len, rp_data->pdu.payload); + rp_data->pdu.payload.len = gsm_to_ascii(&body.s[p], blen, rp_data->pdu.payload); } else { // Length is worst-case 2 * len (UCS2 is 2 Bytes, UTF8 is worst-case 4 Bytes) - rp_data->pdu.payload.s = pkg_malloc(len*4); rp_data->pdu.payload.len = 0; while (len > 0) { j = (body.s[p] << 8) + body.s[p + 1]; @@ -413,11 +418,11 @@ int decode_3gpp_sms(struct sip_msg *msg) { } } } - } + } } } - return 1; + return 1; } int dumpRPData(sms_rp_data_t * rpdata, int level) {