From 3d9497ffbe779c64c99e449849e577d26edf3809 Mon Sep 17 00:00:00 2001 From: Aleksander Morgado Date: Thu, 30 Mar 2023 21:01:44 +0000 Subject: sms-part-3gpp: fix invalid memory ready by checking UDH length byte can be read [debug] parsing PDU (0)... [debug] no SMSC address given [debug] submit type PDU detected [debug] message reference: 1 [debug] address size: 1 digits (1 bytes) [debug] number parsed: 00 [debug] validity available, format relative [debug] PID: 0 [debug] user data encoding is GSM7 [debug] user data length: 0 elements [debug] user data length: 0 bytes ==125780== Command: ./build/test/mmsmspdu --pdu=00F101010C0000000000 --verbose ==125780== ==125780== Invalid read of size 1 ==125780== at 0x10B422: mm_sms_part_3gpp_new_from_binary_pdu (mm-sms-part-3gpp.c:698) ==125780== by 0x10BF57: mm_sms_part_3gpp_new_from_pdu (mm-sms-part-3gpp.c:368) ==125780== by 0x10A44D: main (mmsmspdu.c:242) ==125780== Address 0x519988a is 0 bytes after a block of size 10 alloc'd ==125780== at 0x48455EF: calloc (vg_replace_malloc.c:1328) ==125780== by 0x49DF6C0: g_malloc0 (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7400.2) ==125780== by 0x48ABD24: mm_utils_hexstr2bin (mm-common-helpers.c:1884) ==125780== by 0x10BF36: mm_sms_part_3gpp_new_from_pdu (mm-sms-part-3gpp.c:362) ==125780== by 0x10A44D: main (mmsmspdu.c:242) --- src/mm-sms-part-3gpp.c | 1 + 1 file changed, 1 insertion(+) (limited to 'src/mm-sms-part-3gpp.c') diff --git a/src/mm-sms-part-3gpp.c b/src/mm-sms-part-3gpp.c index aa34b220..a44b3970 100644 --- a/src/mm-sms-part-3gpp.c +++ b/src/mm-sms-part-3gpp.c @@ -695,6 +695,7 @@ mm_sms_part_3gpp_new_from_binary_pdu (guint index, guint udhl_elements; guint udhl, end; + PDU_SIZE_CHECK (tp_user_data_offset + 1, "cannot read UDH length"); udhl = pdu[tp_user_data_offset] + 1; end = tp_user_data_offset + udhl; -- cgit v1.2.3-70-g09d2