[PATCH 2/4] smsutil: ensure the address length in bytes <= 10

public inbox for ofono@lists.linux.dev
 help / color / mirror / Atom feed

From: Denis Kenzior <denkenz@gmail.com>
To: ofono@lists.linux.dev
Cc: Denis Kenzior <denkenz@gmail.com>
Subject: [PATCH 2/4] smsutil: ensure the address length in bytes <= 10
Date: Thu, 29 Feb 2024 12:07:34 -0600	[thread overview]
Message-ID: <20240229180746.1671015-2-denkenz@gmail.com> (raw)
In-Reply-To: <20240229180746.1671015-1-denkenz@gmail.com>

If a specially formatted SMS is received, it is conceivable that the
address length might overflow the structure it is being parsed into.
Ensure that the length in bytes of the address never exceeds 10.
---
 src/smsutil.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/smsutil.c b/src/smsutil.c
index 954f92df2c0d..e89b4567f9f4 100644
--- a/src/smsutil.c
+++ b/src/smsutil.c
@@ -643,7 +643,12 @@ gboolean sms_decode_address_field(const unsigned char *pdu, int len,
 	else
 		byte_len = (addr_len + 1) / 2;
 
-	if ((len - *offset) < byte_len)
+	/*
+	 * 23.040:
+	 * The maximum length of the full address field
+	 * (AddressLength, TypeofAddress and AddressValue) is 12 octets.
+	 */
+	if ((len - *offset) < byte_len || byte_len > 10)
 		return FALSE;
 
 	out->number_type = bit_field(addr_type, 4, 3);
-- 
2.43.0

next prev parent reply	other threads:[~2024-02-29 18:07 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-02-29 18:07 [PATCH 1/4] voicecall: Drop unused GError variables Denis Kenzior
2024-02-29 18:07 ` Denis Kenzior [this message]
2024-02-29 18:07 ` [PATCH 3/4] smsutil: Check cbs_dcs_decode return value Denis Kenzior
2024-02-29 18:07 ` [PATCH 4/4] simutil: Make sure set_length on the parent succeeds Denis Kenzior
2024-02-29 20:40 ` [PATCH 1/4] voicecall: Drop unused GError variables patchwork-bot+ofono

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:954f92df2c0 dfblob:e89b4567f9f )
 OR (
bs:"[PATCH 2/4] smsutil: ensure the address length in bytes <= 10" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240229180746.1671015-2-denkenz@gmail.com \
    --to=denkenz@gmail.com \
    --cc=ofono@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox