colin/ModemManager
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sms-part-cdma: fix invalid memory read when parsing empty ascii text

Browse Source 
Same fix also applied to latin encoded text as it also makes sense there.

  ==158856== Invalid read of size 1
  ==158856==    at 0x10B814: read_bits (mm-sms-part-cdma.c:257)
  ==158856==    by 0x10DB07: read_bearer_data_user_data (mm-sms-part-cdma.c:878)
  ==158856==    by 0x10DB07: read_bearer_data (mm-sms-part-cdma.c:990)
  ==158856==    by 0x10DB07: mm_sms_part_cdma_new_from_binary_pdu (mm-sms-part-cdma.c:1170)
  ==158856==    by 0x10DE54: mm_sms_part_cdma_new_from_pdu (mm-sms-part-cdma.c:333)
  ==158856==    by 0x10A916: common_test_invalid_part_from_hexpdu (test-sms-part-cdma.c:90)
  ==158856==    by 0x10A916: common_test_invalid_part_from_pdu (test-sms-part-cdma.c:104)
  ==158856==    by 0x4A0264D: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7400.2)
  ==158856==    by 0x4A023B4: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7400.2)
  ==158856==    by 0x4A023B4: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7400.2)
  ==158856==    by 0x4A023B4: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7400.2)
  ==158856==    by 0x4A023B4: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7400.2)
  ==158856==    by 0x4A02B1A: g_test_run_suite (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7400.2)
  ==158856==    by 0x4A02BBC: g_test_run (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7400.2)
  ==158856==    by 0x10A509: main (test-sms-part-cdma.c:595)
  ==158856==  Address 0x51a627b is 0 bytes after a block of size 11 alloc'd
  ==158856==    at 0x48455EF: calloc (vg_replace_malloc.c:1328)
  ==158856==    by 0x49DF6C0: g_malloc0 (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7400.2)
  ==158856==    by 0x48ABD24: mm_utils_hexstr2bin (mm-common-helpers.c:1884)
  ==158856==    by 0x10DE36: mm_sms_part_cdma_new_from_pdu (mm-sms-part-cdma.c:327)
  ==158856==    by 0x10A916: common_test_invalid_part_from_hexpdu (test-sms-part-cdma.c:90)
  ==158856==    by 0x10A916: common_test_invalid_part_from_pdu (test-sms-part-cdma.c:104)
  ==158856==    by 0x4A0264D: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7400.2)
  ==158856==    by 0x4A023B4: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7400.2)
  ==158856==    by 0x4A023B4: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7400.2)
  ==158856==    by 0x4A023B4: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7400.2)
  ==158856==    by 0x4A023B4: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7400.2)
  ==158856==    by 0x4A02B1A: g_test_run_suite (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7400.2)
  ==158856==    by 0x4A02BBC: g_test_run (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7400.2)
  ==158856==
This commit is contained in:
Aleksander Morgado
2023-03-30 21:41:09 +00:00
parent 6dccfc5abd
commit 1b60330032
2 changed files with 45 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
src/mm-sms-part-cdma.c
View File

@@ -869,6 +869,12 @@ read_bearer_data_user_data (MMSmsPart *sms_part,
gchar *text;
guint i;
if (num_fields == 0) {
mm_obj_dbg (log_object, " text: ''");
mm_sms_part_set_text (sms_part, "");
break;
}
SUBPARAMETER_SIZE_CHECK (byte_offset + ((bit_offset + (num_fields * 7)) / 8));
text = g_malloc (num_fields + 1);
@@ -888,6 +894,12 @@ read_bearer_data_user_data (MMSmsPart *sms_part,
gchar *text;
guint i;
if (num_fields == 0) {
mm_obj_dbg (log_object, " text: ''");
mm_sms_part_set_text (sms_part, "");
break;
}
SUBPARAMETER_SIZE_CHECK (byte_offset + 1 + ((bit_offset + (num_fields * 8)) / 8));
latin = g_malloc (num_fields + 1);

33
src/tests/test-sms-part-cdma.c
View File

@@ -105,6 +105,27 @@ common_test_invalid_part_from_pdu (const guint8 *pdu,
g_free (hexpdu);
}
static void
common_test_valid_part_from_hexpdu (const gchar *hexpdu)
{
g_autoptr(MMSmsPart) part = NULL;
GError *error = NULL;
part = mm_sms_part_cdma_new_from_pdu (0, hexpdu, NULL, &error);
g_assert (part != NULL);
g_assert (error == NULL);
}
static void
common_test_valid_part_from_pdu (const guint8 *pdu,
gsize pdu_size)
{
g_autofree gchar *hexpdu = NULL;
hexpdu = mm_utils_bin2hexstr (pdu, pdu_size);
common_test_valid_part_from_hexpdu (hexpdu);
}
static void
test_pdu1 (void)
{
@@ -370,6 +391,17 @@ test_empty_unicode_user_data (void)
common_test_invalid_part_from_pdu (pdu, sizeof (pdu));
}
static void
test_empty_ascii_user_data (void)
{
static const guint8 pdu[] = {
0x00, 0x08, 0x08, 0x01, 0x06, 0x10, 0x34, 0x00,
0x00, 0x01, 0x00 };
/* valid but don't care about exact details */
common_test_valid_part_from_pdu (pdu, sizeof (pdu));
}
/********************* PDU CREATOR TESTS *********************/
static void
@@ -576,6 +608,7 @@ int main (int argc, char **argv)
g_test_add_func ("/MM/SMS/CDMA/PDU-Parser/latin-encoding-2", test_latin_encoding_2);
g_test_add_func ("/MM/SMS/CDMA/PDU-Parser/unicode-encoding", test_unicode_encoding);
g_test_add_func ("/MM/SMS/CDMA/PDU-Parser/empty-unicode-user-data", test_empty_unicode_user_data);
g_test_add_func ("/MM/SMS/CDMA/PDU-Parser/empty-ascii-user-data", test_empty_ascii_user_data);
g_test_add_func ("/MM/SMS/CDMA/PDU-Creator/ascii-encoding", test_create_pdu_text_ascii_encoding);
g_test_add_func ("/MM/SMS/CDMA/PDU-Creator/latin-encoding", test_create_pdu_text_latin_encoding);