colin/ModemManager
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sms-part-3gpp: fix invalid memory read parsing address

Browse Source 
[debug] parsing PDU (0)...
    [debug]   no SMSC address given
    [debug]   status report type PDU detected
    [debug]   message reference: 191
    [debug]   address size: 0 digits (0 bytes)

  ==78906== Command: ./build/test/mmsmspdu --pdu=000ABF00 --verbose
  ==78906==
  ==78906== Invalid read of size 1
  ==78906==    at 0x10AA80: sms_decode_address (mm-sms-part-3gpp.c:132)
  ==78906==    by 0x10AF7C: mm_sms_part_3gpp_new_from_binary_pdu (mm-sms-part-3gpp.c:507)
  ==78906==    by 0x10BE17: mm_sms_part_3gpp_new_from_pdu (mm-sms-part-3gpp.c:368)
  ==78906==    by 0x10A44D: main (mmsmspdu.c:202)
  ==78906==  Address 0x5199874 is 0 bytes after a block of size 4 alloc'd
  ==78906==    at 0x48455EF: calloc (vg_replace_malloc.c:1328)
  ==78906==    by 0x49DF6C0: g_malloc0 (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7400.2)
  ==78906==    by 0x48ABD24: mm_utils_hexstr2bin (mm-common-helpers.c:1884)
  ==78906==    by 0x10BDF6: mm_sms_part_3gpp_new_from_pdu (mm-sms-part-3gpp.c:362)
  ==78906==    by 0x10A44D: main (mmsmspdu.c:202)
This commit is contained in:
Aleksander Morgado
2023-03-30 19:41:02 +00:00
parent 5d64ea7633
commit bc2aeeb7bd
2 changed files with 17 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/mm-sms-part-3gpp.c
View File

@@ -500,7 +500,15 @@ mm_sms_part_3gpp_new_from_binary_pdu (guint index,
PDU_SIZE_CHECK (offset + 1, "cannot read number of digits in number");
tp_addr_size_digits = pdu[offset++];
tp_addr_size_bytes = (tp_addr_size_digits + 1) >> 1;
mm_obj_dbg (log_object, " address size: %u digits (%u bytes)",
tp_addr_size_digits, tp_addr_size_bytes);
if (tp_addr_size_bytes == 0) {
g_set_error (error, MM_CORE_ERROR, MM_CORE_ERROR_FAILED,
"Couldn't read address: field missing");
mm_sms_part_free (sms_part);
return NULL;
}
PDU_SIZE_CHECK (offset + tp_addr_size_bytes, "cannot read number");
address = sms_decode_address (&pdu[offset], tp_addr_size_digits, error);
if (!address) {

9
src/tests/test-sms-part-3gpp.c
View File

@@ -441,6 +441,14 @@ test_pdu_insufficient_data (void)
common_test_invalid_pdu (pdu, G_N_ELEMENTS (pdu));
}
static void
test_pdu_no_address (void)
{
static const guint8 pdu[] = { 0x00, 0x0A, 0xBF, 0x00 };
common_test_invalid_pdu (pdu, G_N_ELEMENTS (pdu));
}
/********************* SMS ADDRESS ENCODER TESTS *********************/
static void
@@ -737,6 +745,7 @@ int main (int argc, char **argv)
g_test_add_func ("/MM/SMS/3GPP/PDU-Parser/pdu-stored-by-us", test_pdu_stored_by_us);
g_test_add_func ("/MM/SMS/3GPP/PDU-Parser/pdu-not-stored", test_pdu_not_stored);
g_test_add_func ("/MM/SMS/3GPP/PDU-Parser/pdu-insufficient-data", test_pdu_insufficient_data);
g_test_add_func ("/MM/SMS/3GPP/PDU-Parser/pdu-no-address", test_pdu_no_address);
g_test_add_func ("/MM/SMS/3GPP/Address-Encoder/smsc-intl", test_address_encode_smsc_intl);
g_test_add_func ("/MM/SMS/3GPP/Address-Encoder/smsc-unknown", test_address_encode_smsc_unknown);