Hi All,
Summary:
The assigning of a nonexistent field in the EMI driver when creating a
submission
report results in an out of bounds read.
Scenario:
The EMI driver checks for a DLR when a response is received for a submitted
message.
If there is a DLR requested for that message then the driver does the
following:
/*
* Recode the msg structure with the given msgdata.
* Note: the DLR URL is delivered in msg->sms.dlr_url already.
*/
dlrmsg->sms.msgdata = octstr_duplicate(emimsg->fields[E50_AMSG]);
octstr_hex_to_binary(dlrmsg->sms.msgdata);
dlrmsg->sms.sms_type = report;
Why does the driver assign the value of the E50_AMSG field to the msgdata of
the
dlr message?
This field is not available in the EMI response. The response EMI message
only has three fields so the above code accesses data beyond the array
bounds as
E50_AMSG has a value of 20.
Comments?
Warm Regards,
Michael.
ANAM Wireless Internet Solutions
http://www.anam.com mailto:[EMAIL PROTECTED]
+353 1 284 7555
Castle Yard, Saint Patrick's Road, Dalkey, County Dublin, Ireland
