ofono.lists.linux.dev archive mirror
 help / color / mirror / Atom feed
* [PATCH 0/2] CVE-2023-4233 and CVE-2023-4234
@ 2023-12-21 14:16 Denis Grigorev
  2023-12-21 14:16 ` [PATCH 1/2] smsutil: Check that address fits in memory Denis Grigorev
  2023-12-21 14:16 ` [PATCH 2/2] smsutil: Check that submit report " Denis Grigorev
  0 siblings, 2 replies; 5+ messages in thread
From: Denis Grigorev @ 2023-12-21 14:16 UTC (permalink / raw)
  To: ofono; +Cc: denkenz, d.grigorev

Hello,

The following patches prevent possible buffer overflow during SMS
decoding. 

There are corresponding bug reports on Red Hat Bugzilla:

 * https://bugzilla.redhat.com/show_bug.cgi?id=2255396
 * https://bugzilla.redhat.com/show_bug.cgi?id=2255399

Denis Grigorev (2):
  smsutil: Check that address fits in memory
  smsutil: Check that submit report fits in memory

 src/smsutil.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

-- 
2.17.1


^ permalink raw reply	[flat|nested] 5+ messages in thread
* [PATCH 1/2] smsutil: Check that address fits in memory
  2023-12-21 14:16 [PATCH 0/2] CVE-2023-4233 and CVE-2023-4234 Denis Grigorev
@ 2023-12-21 14:16 ` Denis Grigorev
  2023-12-22 19:26   ` Denis Kenzior
  2023-12-21 14:16 ` [PATCH 2/2] smsutil: Check that submit report " Denis Grigorev
  1 sibling, 1 reply; 5+ messages in thread
From: Denis Grigorev @ 2023-12-21 14:16 UTC (permalink / raw)
  To: ofono; +Cc: denkenz, d.grigorev

This addresses CVE-2023-4233.
---
 src/smsutil.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/smsutil.c b/src/smsutil.c
index 8e57a065..e9551b0d 100644
--- a/src/smsutil.c
+++ b/src/smsutil.c
@@ -647,6 +647,10 @@ gboolean sms_decode_address_field(const unsigned char *pdu, int len,
 	out->numbering_plan = bit_field(addr_type, 0, 4);
 
 	if (out->number_type != SMS_NUMBER_TYPE_ALPHANUMERIC) {
+		/* BCD number consumes half as much memory */
+		if (byte_len * 2 >= (int) sizeof(out->address))
+			return FALSE;
+
 		extract_bcd_number(pdu + *offset, byte_len, out->address);
 		*offset += byte_len;
 	} else {
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 5+ messages in thread
* [PATCH 2/2] smsutil: Check that submit report fits in memory
  2023-12-21 14:16 [PATCH 0/2] CVE-2023-4233 and CVE-2023-4234 Denis Grigorev
  2023-12-21 14:16 ` [PATCH 1/2] smsutil: Check that address fits in memory Denis Grigorev
@ 2023-12-21 14:16 ` Denis Grigorev
  2023-12-22 19:38   ` Denis Kenzior
  1 sibling, 1 reply; 5+ messages in thread
From: Denis Grigorev @ 2023-12-21 14:16 UTC (permalink / raw)
  To: ofono; +Cc: denkenz, d.grigorev

This addresses CVE-2023-4234.
---
 src/smsutil.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/smsutil.c b/src/smsutil.c
index e9551b0d..6edf9ee6 100644
--- a/src/smsutil.c
+++ b/src/smsutil.c
@@ -942,10 +942,16 @@ static gboolean decode_submit_report(const unsigned char *pdu, int len,
 			return FALSE;
 
 		if (out->type == SMS_TYPE_SUBMIT_REPORT_ERROR) {
+			if (expected > (int) sizeof(out->submit_err_report.ud))
+				return FALSE;
+
 			out->submit_err_report.udl = udl;
 			memcpy(out->submit_err_report.ud,
 					pdu + offset, expected);
 		} else {
+			if (expected > (int) sizeof(out->submit_ack_report.ud))
+				return FALSE;
+
 			out->submit_ack_report.udl = udl;
 			memcpy(out->submit_ack_report.ud,
 					pdu + offset, expected);
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [PATCH 1/2] smsutil: Check that address fits in memory
  2023-12-21 14:16 ` [PATCH 1/2] smsutil: Check that address fits in memory Denis Grigorev
@ 2023-12-22 19:26   ` Denis Kenzior
  0 siblings, 0 replies; 5+ messages in thread
From: Denis Kenzior @ 2023-12-22 19:26 UTC (permalink / raw)
  To: Denis Grigorev, ofono

Hi Denis,

On 12/21/23 08:16, Denis Grigorev wrote:
> This addresses CVE-2023-4233.
> ---
>   src/smsutil.c | 4 ++++
>   1 file changed, 4 insertions(+)
> 
> diff --git a/src/smsutil.c b/src/smsutil.c
> index 8e57a065..e9551b0d 100644
> --- a/src/smsutil.c
> +++ b/src/smsutil.c
> @@ -647,6 +647,10 @@ gboolean sms_decode_address_field(const unsigned char *pdu, int len,
>   	out->numbering_plan = bit_field(addr_type, 0, 4);
>   
>   	if (out->number_type != SMS_NUMBER_TYPE_ALPHANUMERIC) {
> +		/* BCD number consumes half as much memory */
> +		if (byte_len * 2 >= (int) sizeof(out->address))

Unfortunately this is not precise enough.  The AddressValue field is limited to 
10 bytes, or 20 bcd characters.  sizeof(out->address) is 23 due to UTF8 
representation of certain GSM characters.  It might be better to check addr_len 
above instead.

> +			return FALSE;
> +
>   		extract_bcd_number(pdu + *offset, byte_len, out->address);
>   		*offset += byte_len;
>   	} else {

Regards,
-Denis

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH 2/2] smsutil: Check that submit report fits in memory
  2023-12-21 14:16 ` [PATCH 2/2] smsutil: Check that submit report " Denis Grigorev
@ 2023-12-22 19:38   ` Denis Kenzior
  0 siblings, 0 replies; 5+ messages in thread
From: Denis Kenzior @ 2023-12-22 19:38 UTC (permalink / raw)
  To: Denis Grigorev, ofono

Hi Denis,

On 12/21/23 08:16, Denis Grigorev wrote:
> This addresses CVE-2023-4234.
> ---
>   src/smsutil.c | 6 ++++++
>   1 file changed, 6 insertions(+)
> 

Applied, thanks.

Regards,
-Denis


^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-12-22 19:38 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-12-21 14:16 [PATCH 0/2] CVE-2023-4233 and CVE-2023-4234 Denis Grigorev
2023-12-21 14:16 ` [PATCH 1/2] smsutil: Check that address fits in memory Denis Grigorev
2023-12-22 19:26   ` Denis Kenzior
2023-12-21 14:16 ` [PATCH 2/2] smsutil: Check that submit report " Denis Grigorev
2023-12-22 19:38   ` Denis Kenzior

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).