sms: prevent crash if date is out of range

g_date_time_new, and g_date_time_new_utc return NULL if inputs are out of range, and currently mm_new_iso8601_time passes the GDateTime created by those two functions to date_time_format_iso8601 without checking for NULL values, causing a g_date_time_format_iso8601 crash if PDU data is corrupted with wrong date. To prevent this, mm_new_iso8601_time now can return NULL and set a new GError if GDateTime created by g_date_time_new is NULL. Fixes #546
author: Carlo Lobrano <c.lobrano@gmail.com> 2022-04-08 11:46:11 +0200
committer: Carlo Lobrano <c.lobrano@gmail.com> 2022-04-08 15:41:49 +0200
commit: ac243f94676695d88e861d225e98ec5bb3c2861e (patch)
tree: 339f80e309a17e17e707d0716f2bf4e070fae2c1 /src
parent: 5c8c1136bd3bad2b542a0b3dc334dbd0686ba10d (diff)
2 files changed, 28 insertions, 10 deletions
diff --git a/src/mm-modem-helpers.c b/src/mm-modem-helpers.c
index 72714ab9..5e58ba9d 100644
--- a/src/mm-modem-helpers.c
+++ b/src/mm-modem-helpers.c
@@ -5112,15 +5112,17 @@ mm_parse_cclk_response (const char *response,
         mm_network_timezone_set_offset (*tzp, tz * 15);
     }
 
+    ret = TRUE;
+
     if (iso8601p) {
         /* Return ISO-8601 format date/time string */
         *iso8601p = mm_new_iso8601_time (year, month, day, hour,
                                          minute, second,
-                                         TRUE, (tz * 15));
+                                         TRUE, (tz * 15),
+                                         error);
+        ret = (*iso8601p != NULL);
     }
 
-    ret = TRUE;
-
  out:
     g_match_info_free (match_info);
     g_regex_unref (r);
diff --git a/src/mm-sms-part-3gpp.c b/src/mm-sms-part-3gpp.c
index bfae03a8..aeb9decb 100644
--- a/src/mm-sms-part-3gpp.c
+++ b/src/mm-sms-part-3gpp.c
@@ -161,7 +161,8 @@ sms_decode_address (const guint8  *address,
 }
 
 static gchar *
-sms_decode_timestamp (const guint8 *timestamp)
+sms_decode_timestamp (const guint8 *timestamp,
+                      GError **error)
 {
     /* ISO8601 format: YYYY-MM-DDTHH:MM:SS+HHMM */
     guint year, month, day, hour, minute, second;
@@ -179,7 +180,7 @@ sms_decode_timestamp (const guint8 *timestamp)
         offset_minutes = -1 * offset_minutes;
 
     return mm_new_iso8601_time (year, month, day, hour,
-                                minute, second, TRUE, offset_minutes);
+                                minute, second, TRUE, offset_minutes, error);
 }
 
 static MMSmsEncoding
@@ -509,6 +510,7 @@ mm_sms_part_3gpp_new_from_binary_pdu (guint         index,
     /* Get timestamps and indexes for TP-PID, TP-DCS and TP-UDL/TP-UD */
 
     if (pdu_type == SMS_TP_MTI_SMS_DELIVER) {
+        gchar *str = NULL;
         PDU_SIZE_CHECK (offset + 9,
                         "cannot read PID/DCS/Timestamp"); /* 1+1+7=9 */
 
@@ -519,8 +521,13 @@ mm_sms_part_3gpp_new_from_binary_pdu (guint         index,
         tp_dcs_offset = offset++;
 
         /* ------ Timestamp (7 bytes) ------ */
+        str = sms_decode_timestamp (&pdu[offset], error);
+        if (!str) {
+            mm_sms_part_free (sms_part);
+            return NULL;
+        }
         mm_sms_part_take_timestamp (sms_part,
-                                    sms_decode_timestamp (&pdu[offset]));
+                                    str);
         offset += 7;
 
         tp_user_data_len_offset = offset;
@@ -564,6 +571,7 @@ mm_sms_part_3gpp_new_from_binary_pdu (guint         index,
         tp_user_data_len_offset = offset;
     }
     else if (pdu_type == SMS_TP_MTI_SMS_STATUS_REPORT) {
+        gchar *str = NULL;
         /* We have 2 timestamps in status report PDUs:
          *  first, the timestamp for when the PDU was received in the SMSC
          *  second, the timestamp for when the PDU was forwarded by the SMSC
@@ -571,13 +579,21 @@ mm_sms_part_3gpp_new_from_binary_pdu (guint         index,
         PDU_SIZE_CHECK (offset + 15, "cannot read Timestamps/TP-STATUS"); /* 7+7+1=15 */
 
         /* ------ Timestamp (7 bytes) ------ */
-        mm_sms_part_take_timestamp (sms_part,
-                                    sms_decode_timestamp (&pdu[offset]));
+        str = sms_decode_timestamp (&pdu[offset], error);
+        if (!str) {
+            mm_sms_part_free (sms_part);
+            return NULL;
+        }
+        mm_sms_part_take_timestamp (sms_part, str);
         offset += 7;
 
         /* ------ Discharge Timestamp (7 bytes) ------ */
-        mm_sms_part_take_discharge_timestamp (sms_part,
-                                              sms_decode_timestamp (&pdu[offset]));
+        str = sms_decode_timestamp (&pdu[offset], error);
+        if (!str) {
+            mm_sms_part_free (sms_part);
+            return NULL;
+        }
+        mm_sms_part_take_discharge_timestamp (sms_part, str);
         offset += 7;
 
         /* ----- TP-STATUS (1 byte) ------ */
author	Carlo Lobrano <c.lobrano@gmail.com>	2022-04-08 11:46:11 +0200
committer	Carlo Lobrano <c.lobrano@gmail.com>	2022-04-08 15:41:49 +0200
commit	ac243f94676695d88e861d225e98ec5bb3c2861e (patch)
tree	339f80e309a17e17e707d0716f2bf4e070fae2c1 /src
parent	5c8c1136bd3bad2b542a0b3dc334dbd0686ba10d (diff)