From 60ef408cd7c3d0c28ba6ac8809a1ff1a363d23d7 Mon Sep 17 00:00:00 2001
From: Aleksander Morgado <aleksandermj@chromium.org>
Date: Thu, 30 Mar 2023 19:51:04 +0000
Subject: sms-part-3gpp: fix invalid memory read due to wrong size check when
 reading address

Before the actual number digits there is always a Type of Address byte
that we were not considering during the size check.

  [debug] parsing PDU (0)...
  [debug]   no SMSC address given
  [debug]   deliver type PDU detected
  [debug]   address size: 1 digits (1 bytes)

  ==90832== Command: ./build/test/mmsmspdu --pdu=001C011C --verbose
  ==90832==
  ==90832== Invalid read of size 1
  ==90832==    at 0x10AC90: sms_semi_octets_to_bcd_string (mm-sms-part-3gpp.c:71)
  ==90832==    by 0x10AC90: sms_decode_address (mm-sms-part-3gpp.c:157)
  ==90832==    by 0x10B0C5: mm_sms_part_3gpp_new_from_binary_pdu (mm-sms-part-3gpp.c:512)
  ==90832==    by 0x10BF77: mm_sms_part_3gpp_new_from_pdu (mm-sms-part-3gpp.c:368)
  ==90832==    by 0x10A44D: main (mmsmspdu.c:242)
  ==90832==  Address 0x5199874 is 0 bytes after a block of size 4 alloc'd
  ==90832==    at 0x48455EF: calloc (vg_replace_malloc.c:1328)
  ==90832==    by 0x49DF6C0: g_malloc0 (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7400.2)
  ==90832==    by 0x48ABD24: mm_utils_hexstr2bin (mm-common-helpers.c:1884)
  ==90832==    by 0x10BF56: mm_sms_part_3gpp_new_from_pdu (mm-sms-part-3gpp.c:362)
  ==90832==    by 0x10A44D: main (mmsmspdu.c:242)
---
 src/tests/test-sms-part-3gpp.c | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'src/tests')

diff --git a/src/tests/test-sms-part-3gpp.c b/src/tests/test-sms-part-3gpp.c
index d6573b13..9411ad2e 100644
--- a/src/tests/test-sms-part-3gpp.c
+++ b/src/tests/test-sms-part-3gpp.c
@@ -449,6 +449,14 @@ test_pdu_no_address (void)
     common_test_invalid_pdu (pdu, G_N_ELEMENTS (pdu));
 }
 
+static void
+test_pdu_wrong_address_size (void)
+{
+    static const guint8 pdu[] = { 0x00, 0x1C, 0x01, 0x1C };
+
+    common_test_invalid_pdu (pdu, G_N_ELEMENTS (pdu));
+}
+
 /********************* SMS ADDRESS ENCODER TESTS *********************/
 
 static void
@@ -746,6 +754,7 @@ int main (int argc, char **argv)
     g_test_add_func ("/MM/SMS/3GPP/PDU-Parser/pdu-not-stored", test_pdu_not_stored);
     g_test_add_func ("/MM/SMS/3GPP/PDU-Parser/pdu-insufficient-data", test_pdu_insufficient_data);
     g_test_add_func ("/MM/SMS/3GPP/PDU-Parser/pdu-no-address", test_pdu_no_address);
+    g_test_add_func ("/MM/SMS/3GPP/PDU-Parser/pdu-wrong-address-size", test_pdu_wrong_address_size);
 
     g_test_add_func ("/MM/SMS/3GPP/Address-Encoder/smsc-intl", test_address_encode_smsc_intl);
     g_test_add_func ("/MM/SMS/3GPP/Address-Encoder/smsc-unknown", test_address_encode_smsc_unknown);
-- 
cgit v1.2.3-70-g09d2