| Message ID | 20231221141638.19774-2-d.grigorev@omp.ru (mailing list archive) |
|---|---|
| State | Accepted, archived |
| Headers | show |
| Series | CVE-2023-4233 and CVE-2023-4234 | expand |
Hi Denis, On 12/21/23 08:16, Denis Grigorev wrote: > This addresses CVE-2023-4233. > --- > src/smsutil.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/src/smsutil.c b/src/smsutil.c > index 8e57a065..e9551b0d 100644 > --- a/src/smsutil.c > +++ b/src/smsutil.c > @@ -647,6 +647,10 @@ gboolean sms_decode_address_field(const unsigned char *pdu, int len, > out->numbering_plan = bit_field(addr_type, 0, 4); > > if (out->number_type != SMS_NUMBER_TYPE_ALPHANUMERIC) { > + /* BCD number consumes half as much memory */ > + if (byte_len * 2 >= (int) sizeof(out->address)) Unfortunately this is not precise enough. The AddressValue field is limited to 10 bytes, or 20 bcd characters. sizeof(out->address) is 23 due to UTF8 representation of certain GSM characters. It might be better to check addr_len above instead. > + return FALSE; > + > extract_bcd_number(pdu + *offset, byte_len, out->address); > *offset += byte_len; > } else { Regards, -Denis
diff --git a/src/smsutil.c b/src/smsutil.c index 8e57a065..e9551b0d 100644 --- a/src/smsutil.c +++ b/src/smsutil.c @@ -647,6 +647,10 @@ gboolean sms_decode_address_field(const unsigned char *pdu, int len, out->numbering_plan = bit_field(addr_type, 0, 4); if (out->number_type != SMS_NUMBER_TYPE_ALPHANUMERIC) { + /* BCD number consumes half as much memory */ + if (byte_len * 2 >= (int) sizeof(out->address)) + return FALSE; + extract_bcd_number(pdu + *offset, byte_len, out->address); *offset += byte_len; } else {