mm-sms-part-3gpp: avoid buffer overflow if packed data is too large

With GSM7 encoding, packedlen is the length of the unpacked string after expanding septets to octets so it will be ~14% bigger than the original string length. This means we have to be careful not to copy too much data into the PDU buffer. Similar issues exist in other branches of the same function. Thanks rhezashan@gmail.com for the report.
author: Eric Caruso <ejcaruso@chromium.org> 2023-08-30 11:24:37 -0400
committer: Eric Caruso <ejcaruso@chromium.org> 2023-08-30 12:42:15 -0400
commit: 201c8533e0e51c2f3ec6c64240d8a5705c26c8d3 (patch)
tree: 0b25a821ab2a912e158e9ae94986d5a4a9862123
parent: 8fc9b77750b35e7db40e995df37d920650c7068a (diff)
1 files changed, 27 insertions, 0 deletions
diff --git a/src/mm-sms-part-3gpp.c b/src/mm-sms-part-3gpp.c
index a44b3970..6e089bd9 100644
--- a/src/mm-sms-part-3gpp.c
+++ b/src/mm-sms-part-3gpp.c
@@ -1065,6 +1065,15 @@ mm_sms_part_3gpp_get_submit_pdu (MMSmsPart *part,
             goto error;
         }
 
+        if (offset + packlen > PDU_SIZE) {
+            g_set_error (error,
+                         MM_MESSAGE_ERROR,
+                         MM_MESSAGE_ERROR_INVALID_PDU_PARAMETER,
+                         "Packed user data is too large for PDU (want %d bytes total, have %d)",
+                         offset + packlen, PDU_SIZE);
+            goto error;
+        }
+
         memcpy (&pdu[offset], packed, packlen);
         offset += packlen;
     } else if (encoding == MM_SMS_ENCODING_UCS2) {
@@ -1090,6 +1099,15 @@ mm_sms_part_3gpp_get_submit_pdu (MMSmsPart *part,
                     *udl_ptr,
                     mm_sms_part_get_concat_sequence (part) ? "with" : "without");
 
+        if (offset + array->len > PDU_SIZE) {
+            g_set_error (error,
+                         MM_MESSAGE_ERROR,
+                         MM_MESSAGE_ERROR_INVALID_PDU_PARAMETER,
+                         "User data is too large for PDU (want %d bytes total, have %d)",
+                         offset + array->len, PDU_SIZE);
+            goto error;
+        }
+
         memcpy (&pdu[offset], array->data, array->len);
         offset += array->len;
     } else if (mm_sms_part_get_encoding (part) == MM_SMS_ENCODING_8BIT) {
@@ -1105,6 +1123,15 @@ mm_sms_part_3gpp_get_submit_pdu (MMSmsPart *part,
                 *udl_ptr,
                 mm_sms_part_get_concat_sequence (part) ? "with" : "without");
 
+        if (offset + data->len > PDU_SIZE) {
+            g_set_error (error,
+                         MM_MESSAGE_ERROR,
+                         MM_MESSAGE_ERROR_INVALID_PDU_PARAMETER,
+                         "User data is too large for PDU (want %d bytes total, have %d)",
+                         offset + data->len, PDU_SIZE);
+            goto error;
+        }
+
         memcpy (&pdu[offset], data->data, data->len);
         offset += data->len;
     } else
author	Eric Caruso <ejcaruso@chromium.org>	2023-08-30 11:24:37 -0400
committer	Eric Caruso <ejcaruso@chromium.org>	2023-08-30 12:42:15 -0400
commit	201c8533e0e51c2f3ec6c64240d8a5705c26c8d3 (patch)
tree	0b25a821ab2a912e158e9ae94986d5a4a9862123
parent	8fc9b77750b35e7db40e995df37d920650c7068a (diff)