On Montag, Februar 3, 2003, at 01:23 Uhr, Michael Mulcahy wrote:
Hi All,
Summary:
The assigning of a nonexistent field in the EMI driver when creating a
submission
report results in an out of bounds read.
Scenario:
The EMI driver checks for a DLR when a response is received for a submitted
message.
If there is a DLR requested for that message then the driver does the
following:
/*
* Recode the msg structure with the given msgdata.
* Note: the DLR URL is delivered in msg->sms.dlr_url already.
*/
dlrmsg->sms.msgdata = octstr_duplicate(emimsg->fields[E50_AMSG]);
octstr_hex_to_binary(dlrmsg->sms.msgdata);
dlrmsg->sms.sms_type = report;
Why does the driver assign the value of the E50_AMSG field to the msgdata of
the
dlr message?
The AMSG field does contain the delivery report text of the SMSC.
This is a text of style "The message to 12345 with referenfce number 1847127 has been delivered on 12.1.2003 14:25"
This field is not available in the EMI response. The response EMI message
only has three fields so the above code accesses data beyond the array
bounds as
E50_AMSG has a value of 20.
You're mixing up the SMSC response with the delivery report.
When you send a message, you send a type 51 message. you will get a 50ACK back saying the SMSC has accepted the SMS. This is NOT the delivery report. The SMSC response is acknowledging that the SMSC has accepted the message but it doesnt say that the message has been delivered to the handset. When the message has been delivered to the handset, the SMSC generates an incoming message of type "Delivery Report" which has all fields, much similar to an incoming SMS.
Andreas Fink
Global Networks Switzerland AG
------------------------------------------------------------------
Tel: +41-61-6666333 Fax: +41-61-6666334 Mobile: +41-79-2457333
Global Networks, Inc. Clarastrasse 3, 4058 Basel, Switzerland
Web: http://www.global-networks.ch/� [EMAIL PROTECTED]
------------------------------------------------------------------
Member of the GSM Association
