Open Source Telephony
 help / color / mirror / Atom feed
From: Jens Rehsack <jr_extern@vfnet.de>
To: ofono@ofono.org
Subject: [PATCH] add some length verification to avoid reading not owned memory
Date: Mon, 27 Feb 2012 10:21:15 +0100	[thread overview]
Message-ID: <4F4B4B0B.7060606@vfnet.de> (raw)

[-- Attachment #1: Type: text/plain, Size: 186 bytes --]

Hi,

while reading mmsd sources I stumbled over missing length
checks in src/push.c:mms_push_notify(). I didn't re-read
the entire source to prove overall ;)

Best regards,
Jens

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-add-some-length-verification-to-avoid-reading-not-ow.patch --]
[-- Type: text/x-patch, Size: 1350 bytes --]

>From 7fe33082555f43d6eb52d2bebb0a9c36f0bc4adc Mon Sep 17 00:00:00 2001
From: Jens Rehsack <jr_extern@vfnet.de>
Date: Mon, 27 Feb 2012 10:15:43 +0100
Subject: [PATCH] add some length verification to avoid reading not owned
 memory

---
 src/push.c |    8 +++++++-
 1 files changed, 7 insertions(+), 1 deletions(-)

diff --git a/src/push.c b/src/push.c
index 6a54907..6107352 100644
--- a/src/push.c
+++ b/src/push.c
@@ -351,13 +351,16 @@ gboolean mms_push_notify(unsigned char *pdu, unsigned int len,
 	/* Consume TID and Type */
 	nread = 2;
 
-	if (wsp_decode_uintvar(pdu + nread, len,
+	if (wsp_decode_uintvar(pdu + nread, len - nread,
 					&headerslen, &consumed) == FALSE)
 		return FALSE;
 
 	/* Consume uintvar bytes */
 	nread += consumed;
 
+	/* Check if content type could be read */
+	if (headerslen > (len - nread))
+		return FALSE;
 	/* Try to decode content-type */
 	if (wsp_decode_content_type(pdu + nread, headerslen, &ct,
 			&consumed, &param_len) == FALSE)
@@ -370,6 +373,9 @@ gboolean mms_push_notify(unsigned char *pdu, unsigned int len,
 	consumed += param_len;
 	nread += consumed;
 
+	/* Check if application_id could be read */
+	if ((headerslen - consumed) > (len - nread))
+		return FALSE;
 	/* Parse header to decode application_id */
 	wsp_header_iter_init(&iter, pdu + nread, headerslen - consumed, 0);
 
-- 
1.7.9.1


             reply	other threads:[~2012-02-27  9:21 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-02-27  9:21 Jens Rehsack [this message]
2012-02-27 17:22 ` [PATCH] add some length verification to avoid reading not owned memory Marcel Holtmann
2012-02-28  8:30   ` Jens Rehsack
2012-02-28  2:38     ` Denis Kenzior

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4F4B4B0B.7060606@vfnet.de \
    --to=jr_extern@vfnet.de \
    --cc=ofono@ofono.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox