[sr-dev] git:master:fd01e587: smsops: safety check for pkg malloc result

Daniel-Constantin Mierla miconda at gmail.com
Sat May 7 09:00:14 CEST 2016 

Module: kamailio
Branch: master
Commit: fd01e587ed115a21284d27d7f402d51dc6f8743a
URL: https://github.com/kamailio/kamailio/commit/fd01e587ed115a21284d27d7f402d51dc6f8743a

Author: Daniel-Constantin Mierla <miconda at gmail.com>
Committer: Daniel-Constantin Mierla <miconda at gmail.com>
Date: 2016-05-07T08:58:16+02:00

smsops: safety check for pkg malloc result

- allocated the biggest possible size to simplify the checks

---

Modified: modules/smsops/smsops_impl.c

---

Diff:  https://github.com/kamailio/kamailio/commit/fd01e587ed115a21284d27d7f402d51dc6f8743a.diff
Patch: https://github.com/kamailio/kamailio/commit/fd01e587ed115a21284d27d7f402d51dc6f8743a.patch

---

diff --git a/modules/smsops/smsops_impl.c b/modules/smsops/smsops_impl.c
index f90e6db..a772f93 100644
--- a/modules/smsops/smsops_impl.c
+++ b/modules/smsops/smsops_impl.c
@@ -301,7 +301,7 @@ static void EncodeTime(char * buffer) {
 // Decode SMS-Body into the given structure:
 int decode_3gpp_sms(struct sip_msg *msg) {
 	str body;
-	int len, j, p = 0;
+	int len, blen, j, p = 0;
 	// Parse only the body again, if the mesage differs from the last call:
 	if (msg->id != current_msg_id) {
 		// Extract Message-body and length: taken from RTPEngine's code
@@ -385,25 +385,30 @@ int decode_3gpp_sms(struct sip_msg *msg) {
 					rp_data->pdu.destination.s = pkg_malloc(rp_data->pdu.destination.len);
 					DecodePhoneNumber(&body.s[p], rp_data->pdu.destination.len, rp_data->pdu.destination);
 					if (rp_data->pdu.destination.len % 2 == 0) {
-						p += rp_data->pdu.destination.len/2;	
+						p += rp_data->pdu.destination.len/2;
 					} else {
-						p += (rp_data->pdu.destination.len/2)+1;	
+						p += (rp_data->pdu.destination.len/2)+1;
 					}
-					
+
 				}
 				rp_data->pdu.pid = (unsigned char)body.s[p++];
 				rp_data->pdu.coding = (unsigned char)body.s[p++];
 				rp_data->pdu.validity = (unsigned char)body.s[p++];
 				len = body.s[p++];
 				if (len > 0) {
+					blen = 2 + len*4;
+					rp_data->pdu.payload.s = pkg_malloc(blen);
+					if(rp_data->pdu.payload.s==NULL) {
+						LM_ERR("no more pkg\n");
+						return -1;
+					}
+					memset(rp_data->pdu.payload.s, 0, blen);
 					// Coding: 7 Bit
 					if (rp_data->pdu.coding == 0x00) {
 						// We don't care about the extra used bytes here.
-						rp_data->pdu.payload.s = pkg_malloc(len);
-						rp_data->pdu.payload.len = gsm_to_ascii(&body.s[p], len, rp_data->pdu.payload);
+						rp_data->pdu.payload.len = gsm_to_ascii(&body.s[p], blen, rp_data->pdu.payload);
 					} else {
 						// Length is worst-case 2 * len (UCS2 is 2 Bytes, UTF8 is worst-case 4 Bytes)
-						rp_data->pdu.payload.s = pkg_malloc(len*4);
 						rp_data->pdu.payload.len = 0;
 						while (len > 0) {
 							j = (body.s[p] << 8) + body.s[p + 1];
@@ -413,11 +418,11 @@ int decode_3gpp_sms(struct sip_msg *msg) {
 						}
 					}
 				}
-			}				
+			}
 		}
 	}
 
-	return 1;	
+	return 1;
 }
 
 int dumpRPData(sms_rp_data_t * rpdata, int level) {

More information about the sr-dev mailing list