proto_smpp: bound sm_length against buffer overflow (#3891)

Clamp attacker-controlled sm_length to MAX_SMS_CHARACTERS in
parse_submit_or_deliver_body() and reject oversized or odd UCS2
lengths in recv_smpp_msg() before they reach copy_fixed_str()
or the GSM7/UCS2 decoders.

Fixes a stack/heap buffer overflow reachable from a malicious
SMSC peer sending submit_sm/deliver_sm with sm_length > 254.

Signed-off-by: NetworkLab Dev <info@networklab.ca>

Author: volga629-1

modules/proto_smpp/smpp.c

@@ -1000,6 +1000,12 @@ static void parse_submit_or_deliver_body(smpp_submit_sm_t *body, smpp_header_t *
 	body->data_coding = *p++;
 	body->sm_default_msg_id = *p++;
 	body->sm_length = *p++;
+	if (body->sm_length > MAX_SMS_CHARACTERS) {
+		LM_ERR("invalid short_message length %u (max %u)\n",
+			body->sm_length, MAX_SMS_CHARACTERS);
+		body->sm_length = 0;
+		return;
+	}
 	copy_fixed_str(body->short_message, p, body->sm_length);
 }
 
@@ -1572,6 +1578,14 @@ static int recv_smpp_msg(smpp_header_t *header, smpp_deliver_sm_t *body,
 	else
 		init_str(&hdr, "Content-Type:text/plain\r\n");
 
+	if (body->sm_length > MAX_SMS_CHARACTERS) {
+		LM_ERR("invalid short_message length %u (max %u)\n",
+			body->sm_length, MAX_SMS_CHARACTERS);
+		pkg_free(src.s);
+		pkg_free(dst.s);
+		return -1;
+	}
+
 	if (body->data_coding == SMPP_CODING_UCS2) {
 		memset(sms_body,0,2*MAX_SMS_CHARACTERS);
 		body_str.len = string2hex((char *)body->short_message,