diff options
| -rw-r--r-- | src/mm-sms-part-3gpp.c | 14 | ||||
| -rw-r--r-- | src/tests/test-sms-part-3gpp.c | 11 |
2 files changed, 23 insertions, 2 deletions
diff --git a/src/mm-sms-part-3gpp.c b/src/mm-sms-part-3gpp.c index 5d9d637a..aa34b220 100644 --- a/src/mm-sms-part-3gpp.c +++ b/src/mm-sms-part-3gpp.c @@ -692,6 +692,7 @@ mm_sms_part_3gpp_new_from_binary_pdu (guint index, bit_offset = 0; if (has_udh) { + guint udhl_elements; guint udhl, end; udhl = pdu[tp_user_data_offset] + 1; @@ -753,9 +754,18 @@ mm_sms_part_3gpp_new_from_binary_pdu (guint index, * user data to get a multiple of 7 (the padding). */ bit_offset = (7 - udhl % 7) % 7; - tp_user_data_size_elements -= (udhl * 8 + bit_offset) / 7; + udhl_elements = (udhl * 8 + bit_offset) / 7; } else - tp_user_data_size_elements -= udhl; + udhl_elements = udhl; + + if (udhl_elements >= tp_user_data_size_elements) { + g_set_error (error, MM_CORE_ERROR, MM_CORE_ERROR_FAILED, + "udhl length (%u) is greater than data size (%u)", + udhl_elements, tp_user_data_size_elements); + mm_sms_part_free (sms_part); + return NULL; + } + tp_user_data_size_elements -= udhl_elements; } switch (user_data_encoding) { diff --git a/src/tests/test-sms-part-3gpp.c b/src/tests/test-sms-part-3gpp.c index 9411ad2e..581b506d 100644 --- a/src/tests/test-sms-part-3gpp.c +++ b/src/tests/test-sms-part-3gpp.c @@ -457,6 +457,16 @@ test_pdu_wrong_address_size (void) common_test_invalid_pdu (pdu, G_N_ELEMENTS (pdu)); } +static void +test_pdu_wrong_user_data_elements_size (void) +{ + static const guint8 pdu[] = { + 0x00, 0x41, 0x00, 0x01, 0x01, 0x00, 0x01, 0x4B, + 0x00, 0x00, 0x2E }; + + common_test_invalid_pdu (pdu, G_N_ELEMENTS (pdu)); +} + /********************* SMS ADDRESS ENCODER TESTS *********************/ static void @@ -755,6 +765,7 @@ int main (int argc, char **argv) g_test_add_func ("/MM/SMS/3GPP/PDU-Parser/pdu-insufficient-data", test_pdu_insufficient_data); g_test_add_func ("/MM/SMS/3GPP/PDU-Parser/pdu-no-address", test_pdu_no_address); g_test_add_func ("/MM/SMS/3GPP/PDU-Parser/pdu-wrong-address-size", test_pdu_wrong_address_size); + g_test_add_func ("/MM/SMS/3GPP/PDU-Parser/pdu-wrong-user-data-elements-size", test_pdu_wrong_user_data_elements_size); g_test_add_func ("/MM/SMS/3GPP/Address-Encoder/smsc-intl", test_address_encode_smsc_intl); g_test_add_func ("/MM/SMS/3GPP/Address-Encoder/smsc-unknown", test_address_encode_smsc_unknown); |