From dbafff23a42818820591234416b696984f4cc152 Mon Sep 17 00:00:00 2001
From: Aleksander Morgado <aleksandermj@chromium.org>
Date: Thu, 30 Mar 2023 20:08:18 +0000
Subject: sms-part-3gpp: avoid underflow in tp_user_data_size_elements

  ==101461== Command: ./build/test/mmsmspdu --pdu=004100010100014B00002E --verbose
  ==101461==
  [debug] parsing PDU (0)...
  [debug]   no SMSC address given
  [debug]   submit type PDU detected
  [debug]   message reference: 0
  [debug]   address size: 1 digits (1 bytes)
  [debug]   number parsed: 00
  [debug]   PID: 1
  [debug]   user data encoding is GSM7
  [debug]   user data length: 0 elements
  [debug]   user data length: 0 bytes
  [debug] decoding SMS text with 4294967294 elements

Based on a patch from Michal Mazur <mkm@semihalf.com>.
---
 src/mm-sms-part-3gpp.c         | 14 ++++++++++++--
 src/tests/test-sms-part-3gpp.c | 11 +++++++++++
 2 files changed, 23 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/mm-sms-part-3gpp.c b/src/mm-sms-part-3gpp.c
index 5d9d637a..aa34b220 100644
--- a/src/mm-sms-part-3gpp.c
+++ b/src/mm-sms-part-3gpp.c
@@ -692,6 +692,7 @@ mm_sms_part_3gpp_new_from_binary_pdu (guint         index,
 
         bit_offset = 0;
         if (has_udh) {
+            guint udhl_elements;
             guint udhl, end;
 
             udhl = pdu[tp_user_data_offset] + 1;
@@ -753,9 +754,18 @@ mm_sms_part_3gpp_new_from_binary_pdu (guint         index,
                  * user data to get a multiple of 7 (the padding).
                  */
                 bit_offset = (7 - udhl % 7) % 7;
-                tp_user_data_size_elements -= (udhl * 8 + bit_offset) / 7;
+                udhl_elements = (udhl * 8 + bit_offset) / 7;
             } else
-                tp_user_data_size_elements -= udhl;
+                udhl_elements = udhl;
+
+            if (udhl_elements >= tp_user_data_size_elements) {
+                g_set_error (error, MM_CORE_ERROR, MM_CORE_ERROR_FAILED,
+                             "udhl length (%u) is greater than data size (%u)",
+                             udhl_elements, tp_user_data_size_elements);
+                mm_sms_part_free (sms_part);
+                return NULL;
+            }
+            tp_user_data_size_elements -= udhl_elements;
         }
 
         switch (user_data_encoding) {
diff --git a/src/tests/test-sms-part-3gpp.c b/src/tests/test-sms-part-3gpp.c
index 9411ad2e..581b506d 100644
--- a/src/tests/test-sms-part-3gpp.c
+++ b/src/tests/test-sms-part-3gpp.c
@@ -457,6 +457,16 @@ test_pdu_wrong_address_size (void)
     common_test_invalid_pdu (pdu, G_N_ELEMENTS (pdu));
 }
 
+static void
+test_pdu_wrong_user_data_elements_size (void)
+{
+    static const guint8 pdu[] = {
+        0x00, 0x41, 0x00, 0x01, 0x01, 0x00, 0x01, 0x4B,
+        0x00, 0x00, 0x2E };
+
+    common_test_invalid_pdu (pdu, G_N_ELEMENTS (pdu));
+}
+
 /********************* SMS ADDRESS ENCODER TESTS *********************/
 
 static void
@@ -755,6 +765,7 @@ int main (int argc, char **argv)
     g_test_add_func ("/MM/SMS/3GPP/PDU-Parser/pdu-insufficient-data", test_pdu_insufficient_data);
     g_test_add_func ("/MM/SMS/3GPP/PDU-Parser/pdu-no-address", test_pdu_no_address);
     g_test_add_func ("/MM/SMS/3GPP/PDU-Parser/pdu-wrong-address-size", test_pdu_wrong_address_size);
+    g_test_add_func ("/MM/SMS/3GPP/PDU-Parser/pdu-wrong-user-data-elements-size", test_pdu_wrong_user_data_elements_size);
 
     g_test_add_func ("/MM/SMS/3GPP/Address-Encoder/smsc-intl", test_address_encode_smsc_intl);
     g_test_add_func ("/MM/SMS/3GPP/Address-Encoder/smsc-unknown", test_address_encode_smsc_unknown);
-- 
cgit v1.2.3-70-g09d2