diff options
| author | Aleksander Morgado <aleksandermj@chromium.org> | 2023-03-30 21:41:09 +0000 |
|---|---|---|
| committer | Aleksander Morgado <aleksandermj@chromium.org> | 2023-03-30 22:07:47 +0000 |
| commit | 1b603300321a2af97573f067865b8429f344460f (patch) | |
| tree | d7d3c3660d052f75af4405aeb2b5cf0100b5121d /src | |
| parent | 6dccfc5abd4fe8af29210449ce2a78546633bdd1 (diff) | |
sms-part-cdma: fix invalid memory read when parsing empty ascii text
Same fix also applied to latin encoded text as it also makes sense there.
==158856== Invalid read of size 1
==158856== at 0x10B814: read_bits (mm-sms-part-cdma.c:257)
==158856== by 0x10DB07: read_bearer_data_user_data (mm-sms-part-cdma.c:878)
==158856== by 0x10DB07: read_bearer_data (mm-sms-part-cdma.c:990)
==158856== by 0x10DB07: mm_sms_part_cdma_new_from_binary_pdu (mm-sms-part-cdma.c:1170)
==158856== by 0x10DE54: mm_sms_part_cdma_new_from_pdu (mm-sms-part-cdma.c:333)
==158856== by 0x10A916: common_test_invalid_part_from_hexpdu (test-sms-part-cdma.c:90)
==158856== by 0x10A916: common_test_invalid_part_from_pdu (test-sms-part-cdma.c:104)
==158856== by 0x4A0264D: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7400.2)
==158856== by 0x4A023B4: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7400.2)
==158856== by 0x4A023B4: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7400.2)
==158856== by 0x4A023B4: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7400.2)
==158856== by 0x4A023B4: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7400.2)
==158856== by 0x4A02B1A: g_test_run_suite (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7400.2)
==158856== by 0x4A02BBC: g_test_run (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7400.2)
==158856== by 0x10A509: main (test-sms-part-cdma.c:595)
==158856== Address 0x51a627b is 0 bytes after a block of size 11 alloc'd
==158856== at 0x48455EF: calloc (vg_replace_malloc.c:1328)
==158856== by 0x49DF6C0: g_malloc0 (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7400.2)
==158856== by 0x48ABD24: mm_utils_hexstr2bin (mm-common-helpers.c:1884)
==158856== by 0x10DE36: mm_sms_part_cdma_new_from_pdu (mm-sms-part-cdma.c:327)
==158856== by 0x10A916: common_test_invalid_part_from_hexpdu (test-sms-part-cdma.c:90)
==158856== by 0x10A916: common_test_invalid_part_from_pdu (test-sms-part-cdma.c:104)
==158856== by 0x4A0264D: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7400.2)
==158856== by 0x4A023B4: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7400.2)
==158856== by 0x4A023B4: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7400.2)
==158856== by 0x4A023B4: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7400.2)
==158856== by 0x4A023B4: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7400.2)
==158856== by 0x4A02B1A: g_test_run_suite (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7400.2)
==158856== by 0x4A02BBC: g_test_run (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7400.2)
==158856==
Diffstat (limited to 'src')
| -rw-r--r-- | src/mm-sms-part-cdma.c | 12 | ||||
| -rw-r--r-- | src/tests/test-sms-part-cdma.c | 33 |
2 files changed, 45 insertions, 0 deletions
diff --git a/src/mm-sms-part-cdma.c b/src/mm-sms-part-cdma.c index a579121b..d02e9dc5 100644 --- a/src/mm-sms-part-cdma.c +++ b/src/mm-sms-part-cdma.c @@ -869,6 +869,12 @@ read_bearer_data_user_data (MMSmsPart *sms_part, gchar *text; guint i; + if (num_fields == 0) { + mm_obj_dbg (log_object, " text: ''"); + mm_sms_part_set_text (sms_part, ""); + break; + } + SUBPARAMETER_SIZE_CHECK (byte_offset + ((bit_offset + (num_fields * 7)) / 8)); text = g_malloc (num_fields + 1); @@ -888,6 +894,12 @@ read_bearer_data_user_data (MMSmsPart *sms_part, gchar *text; guint i; + if (num_fields == 0) { + mm_obj_dbg (log_object, " text: ''"); + mm_sms_part_set_text (sms_part, ""); + break; + } + SUBPARAMETER_SIZE_CHECK (byte_offset + 1 + ((bit_offset + (num_fields * 8)) / 8)); latin = g_malloc (num_fields + 1); diff --git a/src/tests/test-sms-part-cdma.c b/src/tests/test-sms-part-cdma.c index 935a9c6b..61a12e71 100644 --- a/src/tests/test-sms-part-cdma.c +++ b/src/tests/test-sms-part-cdma.c @@ -106,6 +106,27 @@ common_test_invalid_part_from_pdu (const guint8 *pdu, } static void +common_test_valid_part_from_hexpdu (const gchar *hexpdu) +{ + g_autoptr(MMSmsPart) part = NULL; + GError *error = NULL; + + part = mm_sms_part_cdma_new_from_pdu (0, hexpdu, NULL, &error); + g_assert (part != NULL); + g_assert (error == NULL); +} + +static void +common_test_valid_part_from_pdu (const guint8 *pdu, + gsize pdu_size) +{ + g_autofree gchar *hexpdu = NULL; + + hexpdu = mm_utils_bin2hexstr (pdu, pdu_size); + common_test_valid_part_from_hexpdu (hexpdu); +} + +static void test_pdu1 (void) { static const guint8 pdu[] = { @@ -370,6 +391,17 @@ test_empty_unicode_user_data (void) common_test_invalid_part_from_pdu (pdu, sizeof (pdu)); } +static void +test_empty_ascii_user_data (void) +{ + static const guint8 pdu[] = { + 0x00, 0x08, 0x08, 0x01, 0x06, 0x10, 0x34, 0x00, + 0x00, 0x01, 0x00 }; + + /* valid but don't care about exact details */ + common_test_valid_part_from_pdu (pdu, sizeof (pdu)); +} + /********************* PDU CREATOR TESTS *********************/ static void @@ -576,6 +608,7 @@ int main (int argc, char **argv) g_test_add_func ("/MM/SMS/CDMA/PDU-Parser/latin-encoding-2", test_latin_encoding_2); g_test_add_func ("/MM/SMS/CDMA/PDU-Parser/unicode-encoding", test_unicode_encoding); g_test_add_func ("/MM/SMS/CDMA/PDU-Parser/empty-unicode-user-data", test_empty_unicode_user_data); + g_test_add_func ("/MM/SMS/CDMA/PDU-Parser/empty-ascii-user-data", test_empty_ascii_user_data); g_test_add_func ("/MM/SMS/CDMA/PDU-Creator/ascii-encoding", test_create_pdu_text_ascii_encoding); g_test_add_func ("/MM/SMS/CDMA/PDU-Creator/latin-encoding", test_create_pdu_text_latin_encoding); |