Module: kamailio Branch: master Commit: fd01e587ed115a21284d27d7f402d51dc6f8743a URL: https://github.com/kamailio/kamailio/commit/fd01e587ed115a21284d27d7f402d51d...
Author: Daniel-Constantin Mierla miconda@gmail.com Committer: Daniel-Constantin Mierla miconda@gmail.com Date: 2016-05-07T08:58:16+02:00
smsops: safety check for pkg malloc result
- allocated the biggest possible size to simplify the checks
---
Modified: modules/smsops/smsops_impl.c
---
Diff: https://github.com/kamailio/kamailio/commit/fd01e587ed115a21284d27d7f402d51d... Patch: https://github.com/kamailio/kamailio/commit/fd01e587ed115a21284d27d7f402d51d...
---
diff --git a/modules/smsops/smsops_impl.c b/modules/smsops/smsops_impl.c index f90e6db..a772f93 100644 --- a/modules/smsops/smsops_impl.c +++ b/modules/smsops/smsops_impl.c @@ -301,7 +301,7 @@ static void EncodeTime(char * buffer) { // Decode SMS-Body into the given structure: int decode_3gpp_sms(struct sip_msg *msg) { str body; - int len, j, p = 0; + int len, blen, j, p = 0; // Parse only the body again, if the mesage differs from the last call: if (msg->id != current_msg_id) { // Extract Message-body and length: taken from RTPEngine's code @@ -385,25 +385,30 @@ int decode_3gpp_sms(struct sip_msg *msg) { rp_data->pdu.destination.s = pkg_malloc(rp_data->pdu.destination.len); DecodePhoneNumber(&body.s[p], rp_data->pdu.destination.len, rp_data->pdu.destination); if (rp_data->pdu.destination.len % 2 == 0) { - p += rp_data->pdu.destination.len/2; + p += rp_data->pdu.destination.len/2; } else { - p += (rp_data->pdu.destination.len/2)+1; + p += (rp_data->pdu.destination.len/2)+1; } - + } rp_data->pdu.pid = (unsigned char)body.s[p++]; rp_data->pdu.coding = (unsigned char)body.s[p++]; rp_data->pdu.validity = (unsigned char)body.s[p++]; len = body.s[p++]; if (len > 0) { + blen = 2 + len*4; + rp_data->pdu.payload.s = pkg_malloc(blen); + if(rp_data->pdu.payload.s==NULL) { + LM_ERR("no more pkg\n"); + return -1; + } + memset(rp_data->pdu.payload.s, 0, blen); // Coding: 7 Bit if (rp_data->pdu.coding == 0x00) { // We don't care about the extra used bytes here. - rp_data->pdu.payload.s = pkg_malloc(len); - rp_data->pdu.payload.len = gsm_to_ascii(&body.s[p], len, rp_data->pdu.payload); + rp_data->pdu.payload.len = gsm_to_ascii(&body.s[p], blen, rp_data->pdu.payload); } else { // Length is worst-case 2 * len (UCS2 is 2 Bytes, UTF8 is worst-case 4 Bytes) - rp_data->pdu.payload.s = pkg_malloc(len*4); rp_data->pdu.payload.len = 0; while (len > 0) { j = (body.s[p] << 8) + body.s[p + 1]; @@ -413,11 +418,11 @@ int decode_3gpp_sms(struct sip_msg *msg) { } } } - } + } } }
- return 1; + return 1; }
int dumpRPData(sms_rp_data_t * rpdata, int level) {