colin/ModemManager
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sms-part-3gpp: fix invalid memory ready by checking UDH length byte can be read

Browse Source 
[debug] parsing PDU (0)...
  [debug]   no SMSC address given
  [debug]   submit type PDU detected
  [debug]   message reference: 1
  [debug]   address size: 1 digits (1 bytes)
  [debug]   number parsed: 00
  [debug]   validity available, format relative
  [debug]   PID: 0
  [debug]   user data encoding is GSM7
  [debug]   user data length: 0 elements
  [debug]   user data length: 0 bytes

  ==125780== Command: ./build/test/mmsmspdu --pdu=00F101010C0000000000 --verbose
  ==125780==
  ==125780== Invalid read of size 1
  ==125780==    at 0x10B422: mm_sms_part_3gpp_new_from_binary_pdu (mm-sms-part-3gpp.c:698)
  ==125780==    by 0x10BF57: mm_sms_part_3gpp_new_from_pdu (mm-sms-part-3gpp.c:368)
  ==125780==    by 0x10A44D: main (mmsmspdu.c:242)
  ==125780==  Address 0x519988a is 0 bytes after a block of size 10 alloc'd
  ==125780==    at 0x48455EF: calloc (vg_replace_malloc.c:1328)
  ==125780==    by 0x49DF6C0: g_malloc0 (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7400.2)
  ==125780==    by 0x48ABD24: mm_utils_hexstr2bin (mm-common-helpers.c:1884)
  ==125780==    by 0x10BF36: mm_sms_part_3gpp_new_from_pdu (mm-sms-part-3gpp.c:362)
  ==125780==    by 0x10A44D: main (mmsmspdu.c:242)
This commit is contained in:
Aleksander Morgado
2023-03-30 21:01:44 +00:00
parent dbafff23a4
commit 3d9497ffbe
2 changed files with 12 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
src/mm-sms-part-3gpp.c
View File

@@ -695,6 +695,7 @@ mm_sms_part_3gpp_new_from_binary_pdu (guint index,
guint udhl_elements; guint udhl_elements;
guint udhl, end; guint udhl, end;
PDU_SIZE_CHECK (tp_user_data_offset + 1, "cannot read UDH length");
udhl = pdu[tp_user_data_offset] + 1; udhl = pdu[tp_user_data_offset] + 1;
end = tp_user_data_offset + udhl; end = tp_user_data_offset + udhl;

11
src/tests/test-sms-part-3gpp.c
View File

@@ -467,6 +467,16 @@ test_pdu_wrong_user_data_elements_size (void)
common_test_invalid_pdu (pdu, G_N_ELEMENTS (pdu)); common_test_invalid_pdu (pdu, G_N_ELEMENTS (pdu));
} }
static void
test_pdu_wrong_udh (void)
{
static const guint8 pdu[] = {
0x00, 0xF1, 0x01, 0x01, 0x0C, 0x00, 0x00, 0x00,
0x00, 0x00 };
common_test_invalid_pdu (pdu, G_N_ELEMENTS (pdu));
}
/********************* SMS ADDRESS ENCODER TESTS *********************/ /********************* SMS ADDRESS ENCODER TESTS *********************/
static void static void
@@ -766,6 +776,7 @@ int main (int argc, char **argv)
g_test_add_func ("/MM/SMS/3GPP/PDU-Parser/pdu-no-address", test_pdu_no_address); g_test_add_func ("/MM/SMS/3GPP/PDU-Parser/pdu-no-address", test_pdu_no_address);
g_test_add_func ("/MM/SMS/3GPP/PDU-Parser/pdu-wrong-address-size", test_pdu_wrong_address_size); g_test_add_func ("/MM/SMS/3GPP/PDU-Parser/pdu-wrong-address-size", test_pdu_wrong_address_size);
g_test_add_func ("/MM/SMS/3GPP/PDU-Parser/pdu-wrong-user-data-elements-size", test_pdu_wrong_user_data_elements_size); g_test_add_func ("/MM/SMS/3GPP/PDU-Parser/pdu-wrong-user-data-elements-size", test_pdu_wrong_user_data_elements_size);
g_test_add_func ("/MM/SMS/3GPP/PDU-Parser/pdu-wrong-udh", test_pdu_wrong_udh);
g_test_add_func ("/MM/SMS/3GPP/Address-Encoder/smsc-intl", test_address_encode_smsc_intl); g_test_add_func ("/MM/SMS/3GPP/Address-Encoder/smsc-intl", test_address_encode_smsc_intl);
g_test_add_func ("/MM/SMS/3GPP/Address-Encoder/smsc-unknown", test_address_encode_smsc_unknown); g_test_add_func ("/MM/SMS/3GPP/Address-Encoder/smsc-unknown", test_address_encode_smsc_unknown);