| Message ID | 20241216110106.567830-1-absicsz@gmail.com (mailing list archive) |
|---|---|
| State | Under Review |
| Headers | show |
| Series | [1/2] speedupmodem: ussd: ensure ussd content fits in buffer | expand |
On 12/16/24 5:00 AM, Sicelo A. Mhlongo wrote: > Additional fix for CVE-2024-7539 > --- > drivers/speedupmodem/ussd.c | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > This set also fails to compile: Fedora (glibc) clang debug+sanitizers ===================================== Configure: PASS Build: FAIL drivers/huaweimodem/ussd.c:42:23: error: unused variable 'msg_ptr' [-Werror,-Wunused-variable] 42 | const unsigned char *msg_ptr = NULL; | ^~~~~~~ drivers/huaweimodem/ussd.c:43:7: error: unused variable 'msg_len' [-Werror,-Wunused-variable] 43 | long msg_len; | ^~~~~~~ drivers/huaweimodem/ussd.c:54:8: error: use of undeclared label 'out' 54 | goto out; | ^ drivers/huaweimodem/ussd.c:62:2: error: type specifier missing, defaults to 'int'; ISO C99 and later do not support implicit int [-Wimplicit-int] 62 | msg_ptr = decode_hex_own_buf(content, -1, &msg_len, 0, msg); | ^ | int drivers/huaweimodem/ussd.c:62:31: error: use of undeclared identifier 'content' 62 | msg_ptr = decode_hex_own_buf(content, -1, &msg_len, 0, msg); | ^ drivers/huaweimodem/ussd.c:62:45: error: use of undeclared identifier 'msg_len' 62 | msg_ptr = decode_hex_own_buf(content, -1, &msg_len, 0, msg); | ^ drivers/huaweimodem/ussd.c:62:57: error: use of undeclared identifier 'msg' 62 | msg_ptr = decode_hex_own_buf(content, -1, &msg_len, 0, msg); | ^ drivers/huaweimodem/ussd.c:64:1: error: type specifier missing, defaults to 'int'; ISO C99 and later do not support implicit int [-Wimplicit-int] 64 | out: | ^ | int drivers/huaweimodem/ussd.c:64:4: error: expected ';' after top level declarator 64 | out: | ^ | ; drivers/huaweimodem/ussd.c:65:48: error: redefinition of parameter 'msg_ptr' 65 | ofono_ussd_notify(ussd, status, dcs, msg_ptr, msg_ptr ? msg_len : 0); | ^ drivers/huaweimodem/ussd.c:65:56: error: expected ')' 65 | ofono_ussd_notify(ussd, status, dcs, msg_ptr, msg_ptr ? msg_len : 0); | ^ drivers/huaweimodem/ussd.c:65:19: note: to match this '(' 65 | ofono_ussd_notify(ussd, status, dcs, msg_ptr, msg_ptr ? msg_len : 0); | ^ drivers/huaweimodem/ussd.c:65:2: error: type specifier missing, defaults to 'int'; ISO C99 and later do not support implicit int [-Wimplicit-int] 65 | ofono_ussd_notify(ussd, status, dcs, msg_ptr, msg_ptr ? msg_len : 0); | ^ | int drivers/huaweimodem/ussd.c:65:20: error: a parameter list without types is only allowed in a function definition 65 | ofono_ussd_notify(ussd, status, dcs, msg_ptr, msg_ptr ? msg_len : 0); | ^ drivers/huaweimodem/ussd.c:66:1: error: extraneous closing brace ('}') 66 | } | ^ 14 errors generated. make[1]: *** [Makefile:4083: drivers/huaweimodem/ussd.o] Error 1 drivers/speedupmodem/ussd.c:41:23: error: unused variable 'msg_ptr' [-Werror,-Wunused-variable] 41 | const unsigned char *msg_ptr = NULL; | ^~~~~~~ drivers/speedupmodem/ussd.c:42:7: error: unused variable 'msg_len' [-Werror,-Wunused-variable] 42 | long msg_len; | ^~~~~~~ drivers/speedupmodem/ussd.c:53:8: error: use of undeclared label 'out' 53 | goto out; | ^ drivers/speedupmodem/ussd.c:61:2: error: type specifier missing, defaults to 'int'; ISO C99 and later do not support implicit int [-Wimplicit-int] 61 | msg_ptr = decode_hex_own_buf(content, -1, &msg_len, 0, msg); | ^ | int drivers/speedupmodem/ussd.c:61:31: error: use of undeclared identifier 'content' 61 | msg_ptr = decode_hex_own_buf(content, -1, &msg_len, 0, msg); | ^ drivers/speedupmodem/ussd.c:61:45: error: use of undeclared identifier 'msg_len' 61 | msg_ptr = decode_hex_own_buf(content, -1, &msg_len, 0, msg); | ^ drivers/speedupmodem/ussd.c:61:57: error: use of undeclared identifier 'msg' 61 | msg_ptr = decode_hex_own_buf(content, -1, &msg_len, 0, msg); | ^ drivers/speedupmodem/ussd.c:63:1: error: type specifier missing, defaults to 'int'; ISO C99 and later do not support implicit int [-Wimplicit-int] 63 | out: | ^ | int drivers/speedupmodem/ussd.c:63:4: error: expected ';' after top level declarator 63 | out: | ^ | ; drivers/speedupmodem/ussd.c:64:48: error: redefinition of parameter 'msg_ptr' 64 | ofono_ussd_notify(ussd, status, dcs, msg_ptr, msg_ptr ? msg_len : 0); | ^ drivers/speedupmodem/ussd.c:64:56: error: expected ')' 64 | ofono_ussd_notify(ussd, status, dcs, msg_ptr, msg_ptr ? msg_len : 0); | ^ drivers/speedupmodem/ussd.c:64:19: note: to match this '(' 64 | ofono_ussd_notify(ussd, status, dcs, msg_ptr, msg_ptr ? msg_len : 0); | ^ drivers/speedupmodem/ussd.c:64:2: error: type specifier missing, defaults to 'int'; ISO C99 and later do not support implicit int [-Wimplicit-int] 64 | ofono_ussd_notify(ussd, status, dcs, msg_ptr, msg_ptr ? msg_len : 0); | ^ | int drivers/speedupmodem/ussd.c:64:20: error: a parameter list without types is only allowed in a function definition 64 | ofono_ussd_notify(ussd, status, dcs, msg_ptr, msg_ptr ? msg_len : 0); | ^ drivers/speedupmodem/ussd.c:65:1: error: extraneous closing brace ('}') 65 | } | ^ 14 errors generated. make[1]: *** [Makefile:4083: drivers/speedupmodem/ussd.o] Error 1 make[1]: Target 'all-am' not remade because of errors. make: *** [Makefile:2388: all] Error 2
diff --git a/drivers/speedupmodem/ussd.c b/drivers/speedupmodem/ussd.c index aafa4bc9..7d2df790 100644 --- a/drivers/speedupmodem/ussd.c +++ b/drivers/speedupmodem/ussd.c @@ -37,7 +37,7 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd) int status; int dcs = 0; const char *content; - unsigned char msg[160]; + unsigned char msg[160] = {0}; const unsigned char *msg_ptr = NULL; long msg_len; @@ -54,6 +54,10 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd) g_at_result_iter_next_number(&iter, &dcs); + if (strlen(content) > sizeof(msg) * 2) + goto out; + } + msg_ptr = decode_hex_own_buf(content, -1, &msg_len, 0, msg); out: