[2/2] smsutil: Check that submit report fits in memory

Message ID	20231221141638.19774-3-d.grigorev@omp.ru (mailing list archive)
State	Superseded
Headers	show Received: from mx01.omp.ru (mx01.omp.ru [90.154.21.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A3E47846B for <ofono@lists.linux.dev>; Thu, 21 Dec 2023 14:39:16 +0000 (UTC) From: Denis Grigorev <d.grigorev@omp.ru> To: <ofono@lists.linux.dev> CC: <denkenz@gmail.com>, <d.grigorev@omp.ru> Subject: [PATCH 2/2] smsutil: Check that submit report fits in memory Date: Thu, 21 Dec 2023 17:16:38 +0300 Message-ID: <20231221141638.19774-3-d.grigorev@omp.ru> In-Reply-To: <20231221141638.19774-1-d.grigorev@omp.ru> References: <20231221141638.19774-1-d.grigorev@omp.ru> Precedence: bulk MIME-Version: 1.0 Content-Type: text/plain on: 12/21/2023 14:23:47 from: d.grigorev@omp.ru bases: 12/21/2023 10:52:00 AM X-KSE-Attachment-Filter-Triggered-Rules: Clean X-KSE-Attachment-Filter-Triggered-Filters: Clean X-KSE-BulkMessagesFiltering-Scan-Result: InTheLimit
Series	CVE-2023-4233 and CVE-2023-4234 \| expand [0/2] CVE-2023-4233 and CVE-2023-4234 [1/2] smsutil: Check that address fits in memory [2/2] smsutil: Check that submit report fits in memory

Message ID

20231221141638.19774-3-d.grigorev@omp.ru (mailing list archive)

State

Superseded

Headers

From: Denis Grigorev <d.grigorev@omp.ru>
To: <ofono@lists.linux.dev>
CC: <denkenz@gmail.com>, <d.grigorev@omp.ru>
Subject: [PATCH 2/2] smsutil: Check that submit report fits in memory
Date: Thu, 21 Dec 2023 17:16:38 +0300
Message-ID: <20231221141638.19774-3-d.grigorev@omp.ru>
In-Reply-To: <20231221141638.19774-1-d.grigorev@omp.ru>
References: <20231221141638.19774-1-d.grigorev@omp.ru>
Precedence: bulk
MIME-Version: 1.0
Content-Type: text/plain
X-KSE-Attachment-Filter-Triggered-Filters: Clean
X-KSE-BulkMessagesFiltering-Scan-Result: InTheLimit

Series

CVE-2023-4233 and CVE-2023-4234 | expand

Comments

Denis Kenzior Dec. 22, 2023, 7:38 p.m. UTC | #1

Hi Denis,

On 12/21/23 08:16, Denis Grigorev wrote:
> This addresses CVE-2023-4234.
> ---
>   src/smsutil.c | 6 ++++++
>   1 file changed, 6 insertions(+)
> 

Applied, thanks.

Regards,
-Denis

diff --git a/src/smsutil.c b/src/smsutil.c
index e9551b0d..6edf9ee6 100644
--- a/src/smsutil.c
+++ b/src/smsutil.c
@@ -942,10 +942,16 @@  static gboolean decode_submit_report(const unsigned char *pdu, int len,
 			return FALSE;
 
 		if (out->type == SMS_TYPE_SUBMIT_REPORT_ERROR) {
+			if (expected > (int) sizeof(out->submit_err_report.ud))
+				return FALSE;
+
 			out->submit_err_report.udl = udl;
 			memcpy(out->submit_err_report.ud,
 					pdu + offset, expected);
 		} else {
+			if (expected > (int) sizeof(out->submit_ack_report.ud))
+				return FALSE;
+
 			out->submit_ack_report.udl = udl;
 			memcpy(out->submit_ack_report.ud,
 					pdu + offset, expected);

[2/2] smsutil: Check that submit report fits in memory

Commit Message

Comments

Patch