Hi All, Summary: The assigning of a nonexistent field in the EMI driver when creating a submission report results in an out of bounds read.
Scenario: The EMI driver checks for a DLR when a response is received for a submitted message. If there is a DLR requested for that message then the driver does the following: /* * Recode the msg structure with the given msgdata. * Note: the DLR URL is delivered in msg->sms.dlr_url already. */ dlrmsg->sms.msgdata = octstr_duplicate(emimsg->fields[E50_AMSG]); octstr_hex_to_binary(dlrmsg->sms.msgdata); dlrmsg->sms.sms_type = report; Why does the driver assign the value of the E50_AMSG field to the msgdata of the dlr message? This field is not available in the EMI response. The response EMI message only has three fields so the above code accesses data beyond the array bounds as E50_AMSG has a value of 20. Comments? Warm Regards, Michael. ANAM Wireless Internet Solutions http://www.anam.com mailto:[EMAIL PROTECTED] +353 1 284 7555 Castle Yard, Saint Patrick's Road, Dalkey, County Dublin, Ireland