From bc2aeeb7bd059aa1ee9e6457a53204416c33efd8 Mon Sep 17 00:00:00 2001
From: Aleksander Morgado <aleksandermj@chromium.org>
Date: Thu, 30 Mar 2023 19:41:02 +0000
Subject: sms-part-3gpp: fix invalid memory read parsing address

    [debug] parsing PDU (0)...
    [debug]   no SMSC address given
    [debug]   status report type PDU detected
    [debug]   message reference: 191
    [debug]   address size: 0 digits (0 bytes)

  ==78906== Command: ./build/test/mmsmspdu --pdu=000ABF00 --verbose
  ==78906==
  ==78906== Invalid read of size 1
  ==78906==    at 0x10AA80: sms_decode_address (mm-sms-part-3gpp.c:132)
  ==78906==    by 0x10AF7C: mm_sms_part_3gpp_new_from_binary_pdu (mm-sms-part-3gpp.c:507)
  ==78906==    by 0x10BE17: mm_sms_part_3gpp_new_from_pdu (mm-sms-part-3gpp.c:368)
  ==78906==    by 0x10A44D: main (mmsmspdu.c:202)
  ==78906==  Address 0x5199874 is 0 bytes after a block of size 4 alloc'd
  ==78906==    at 0x48455EF: calloc (vg_replace_malloc.c:1328)
  ==78906==    by 0x49DF6C0: g_malloc0 (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7400.2)
  ==78906==    by 0x48ABD24: mm_utils_hexstr2bin (mm-common-helpers.c:1884)
  ==78906==    by 0x10BDF6: mm_sms_part_3gpp_new_from_pdu (mm-sms-part-3gpp.c:362)
  ==78906==    by 0x10A44D: main (mmsmspdu.c:202)
---
 src/mm-sms-part-3gpp.c | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'src/mm-sms-part-3gpp.c')

diff --git a/src/mm-sms-part-3gpp.c b/src/mm-sms-part-3gpp.c
index 8a36cab3..4244de0c 100644
--- a/src/mm-sms-part-3gpp.c
+++ b/src/mm-sms-part-3gpp.c
@@ -500,7 +500,15 @@ mm_sms_part_3gpp_new_from_binary_pdu (guint         index,
     PDU_SIZE_CHECK (offset + 1, "cannot read number of digits in number");
     tp_addr_size_digits = pdu[offset++];
     tp_addr_size_bytes = (tp_addr_size_digits + 1) >> 1;
+    mm_obj_dbg (log_object, "  address size: %u digits (%u bytes)",
+                tp_addr_size_digits, tp_addr_size_bytes);
 
+    if (tp_addr_size_bytes == 0) {
+        g_set_error (error, MM_CORE_ERROR, MM_CORE_ERROR_FAILED,
+                     "Couldn't read address: field missing");
+        mm_sms_part_free (sms_part);
+        return NULL;
+    }
     PDU_SIZE_CHECK (offset + tp_addr_size_bytes, "cannot read number");
     address = sms_decode_address (&pdu[offset], tp_addr_size_digits, error);
     if (!address) {
-- 
cgit v1.2.3-70-g09d2