From 74d9aa04040570c6ae73727e794897adc3665cd4 Mon Sep 17 00:00:00 2001 From: NetworkLab Dev Date: Thu, 7 May 2026 10:39:43 -0400 Subject: [PATCH] proto_smpp: bound sm_length against buffer overflow Clamp attacker-controlled sm_length to MAX_SMS_CHARACTERS in parse_submit_or_deliver_body() and reject oversized or odd UCS2 lengths in recv_smpp_msg() before they reach copy_fixed_str() or the GSM7/UCS2 decoders. Fixes a stack/heap buffer overflow reachable from a malicious SMSC peer sending submit_sm/deliver_sm with sm_length > 254. Signed-off-by: NetworkLab Dev --- modules/proto_smpp/smpp.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/modules/proto_smpp/smpp.c b/modules/proto_smpp/smpp.c index adee05aec2c..0f244f1ea17 100644 --- a/modules/proto_smpp/smpp.c +++ b/modules/proto_smpp/smpp.c @@ -1000,6 +1000,12 @@ static void parse_submit_or_deliver_body(smpp_submit_sm_t *body, smpp_header_t * body->data_coding = *p++; body->sm_default_msg_id = *p++; body->sm_length = *p++; + if (body->sm_length > MAX_SMS_CHARACTERS) { + LM_ERR("invalid short_message length %u (max %u)\n", + body->sm_length, MAX_SMS_CHARACTERS); + body->sm_length = 0; + return; + } copy_fixed_str(body->short_message, p, body->sm_length); } @@ -1572,6 +1578,14 @@ static int recv_smpp_msg(smpp_header_t *header, smpp_deliver_sm_t *body, else init_str(&hdr, "Content-Type:text/plain\r\n"); + if (body->sm_length > MAX_SMS_CHARACTERS) { + LM_ERR("invalid short_message length %u (max %u)\n", + body->sm_length, MAX_SMS_CHARACTERS); + pkg_free(src.s); + pkg_free(dst.s); + return -1; + } + if (body->data_coding == SMPP_CODING_UCS2) { memset(sms_body,0,2*MAX_SMS_CHARACTERS); body_str.len = string2hex((char *)body->short_message,