mm-sms-part-3gpp: avoid buffer overflow if packed data is too large

With GSM7 encoding, packedlen is the length of the unpacked string after expanding septets to octets so it will be ~14% bigger than the original string length. This means we have to be careful not to copy too much data into the PDU buffer. Similar issues exist in other branches of the same function. Thanks rhezashan@gmail.com for the report.
2023-08-30 11:24:37 -04:00
parent 8fc9b77750
commit 201c8533e0
1 changed files with 27 additions and 0 deletions
--- a/src/mm-sms-part-3gpp.c
+++ b/src/mm-sms-part-3gpp.c
@@ -1065,6 +1065,15 @@ mm_sms_part_3gpp_get_submit_pdu (MMSmsPart *part,
            goto error;
        }

+        if (offset + packlen > PDU_SIZE) {
+            g_set_error (error,
+                         MM_MESSAGE_ERROR,
+                         MM_MESSAGE_ERROR_INVALID_PDU_PARAMETER,
+                         "Packed user data is too large for PDU (want %d bytes total, have %d)",
+                         offset + packlen, PDU_SIZE);
+            goto error;
+        }
+
        memcpy (&pdu[offset], packed, packlen);
        offset += packlen;
    } else if (encoding == MM_SMS_ENCODING_UCS2) {
@@ -1090,6 +1099,15 @@ mm_sms_part_3gpp_get_submit_pdu (MMSmsPart *part,
                    *udl_ptr,
                    mm_sms_part_get_concat_sequence (part) ? "with" : "without");

+        if (offset + array->len > PDU_SIZE) {
+            g_set_error (error,
+                         MM_MESSAGE_ERROR,
+                         MM_MESSAGE_ERROR_INVALID_PDU_PARAMETER,
+                         "User data is too large for PDU (want %d bytes total, have %d)",
+                         offset + array->len, PDU_SIZE);
+            goto error;
+        }
+
        memcpy (&pdu[offset], array->data, array->len);
        offset += array->len;
    } else if (mm_sms_part_get_encoding (part) == MM_SMS_ENCODING_8BIT) {
@@ -1105,6 +1123,15 @@ mm_sms_part_3gpp_get_submit_pdu (MMSmsPart *part,
                *udl_ptr,
                mm_sms_part_get_concat_sequence (part) ? "with" : "without");

+        if (offset + data->len > PDU_SIZE) {
+            g_set_error (error,
+                         MM_MESSAGE_ERROR,
+                         MM_MESSAGE_ERROR_INVALID_PDU_PARAMETER,
+                         "User data is too large for PDU (want %d bytes total, have %d)",
+                         offset + data->len, PDU_SIZE);
+            goto error;
+        }
+
        memcpy (&pdu[offset], data->data, data->len);
        offset += data->len;
    } else