* [PATCH 0/2] CVE-2023-4233 and CVE-2023-4234
@ 2023-12-21 14:16 Denis Grigorev
2023-12-21 14:16 ` [PATCH 1/2] smsutil: Check that address fits in memory Denis Grigorev
2023-12-21 14:16 ` [PATCH 2/2] smsutil: Check that submit report " Denis Grigorev
0 siblings, 2 replies; 5+ messages in thread
From: Denis Grigorev @ 2023-12-21 14:16 UTC (permalink / raw)
To: ofono; +Cc: denkenz, d.grigorev
Hello,
The following patches prevent possible buffer overflow during SMS
decoding.
There are corresponding bug reports on Red Hat Bugzilla:
* https://bugzilla.redhat.com/show_bug.cgi?id=2255396
* https://bugzilla.redhat.com/show_bug.cgi?id=2255399
Denis Grigorev (2):
smsutil: Check that address fits in memory
smsutil: Check that submit report fits in memory
src/smsutil.c | 10 ++++++++++
1 file changed, 10 insertions(+)
--
2.17.1
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 1/2] smsutil: Check that address fits in memory
2023-12-21 14:16 [PATCH 0/2] CVE-2023-4233 and CVE-2023-4234 Denis Grigorev
@ 2023-12-21 14:16 ` Denis Grigorev
2023-12-22 19:26 ` Denis Kenzior
2023-12-21 14:16 ` [PATCH 2/2] smsutil: Check that submit report " Denis Grigorev
1 sibling, 1 reply; 5+ messages in thread
From: Denis Grigorev @ 2023-12-21 14:16 UTC (permalink / raw)
To: ofono; +Cc: denkenz, d.grigorev
This addresses CVE-2023-4233.
---
src/smsutil.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/smsutil.c b/src/smsutil.c
index 8e57a065..e9551b0d 100644
--- a/src/smsutil.c
+++ b/src/smsutil.c
@@ -647,6 +647,10 @@ gboolean sms_decode_address_field(const unsigned char *pdu, int len,
out->numbering_plan = bit_field(addr_type, 0, 4);
if (out->number_type != SMS_NUMBER_TYPE_ALPHANUMERIC) {
+ /* BCD number consumes half as much memory */
+ if (byte_len * 2 >= (int) sizeof(out->address))
+ return FALSE;
+
extract_bcd_number(pdu + *offset, byte_len, out->address);
*offset += byte_len;
} else {
--
2.17.1
^ permalink raw reply related [flat|nested] 5+ messages in thread* Re: [PATCH 1/2] smsutil: Check that address fits in memory
2023-12-21 14:16 ` [PATCH 1/2] smsutil: Check that address fits in memory Denis Grigorev
@ 2023-12-22 19:26 ` Denis Kenzior
0 siblings, 0 replies; 5+ messages in thread
From: Denis Kenzior @ 2023-12-22 19:26 UTC (permalink / raw)
To: Denis Grigorev, ofono
Hi Denis,
On 12/21/23 08:16, Denis Grigorev wrote:
> This addresses CVE-2023-4233.
> ---
> src/smsutil.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/src/smsutil.c b/src/smsutil.c
> index 8e57a065..e9551b0d 100644
> --- a/src/smsutil.c
> +++ b/src/smsutil.c
> @@ -647,6 +647,10 @@ gboolean sms_decode_address_field(const unsigned char *pdu, int len,
> out->numbering_plan = bit_field(addr_type, 0, 4);
>
> if (out->number_type != SMS_NUMBER_TYPE_ALPHANUMERIC) {
> + /* BCD number consumes half as much memory */
> + if (byte_len * 2 >= (int) sizeof(out->address))
Unfortunately this is not precise enough. The AddressValue field is limited to
10 bytes, or 20 bcd characters. sizeof(out->address) is 23 due to UTF8
representation of certain GSM characters. It might be better to check addr_len
above instead.
> + return FALSE;
> +
> extract_bcd_number(pdu + *offset, byte_len, out->address);
> *offset += byte_len;
> } else {
Regards,
-Denis
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 2/2] smsutil: Check that submit report fits in memory
2023-12-21 14:16 [PATCH 0/2] CVE-2023-4233 and CVE-2023-4234 Denis Grigorev
2023-12-21 14:16 ` [PATCH 1/2] smsutil: Check that address fits in memory Denis Grigorev
@ 2023-12-21 14:16 ` Denis Grigorev
2023-12-22 19:38 ` Denis Kenzior
1 sibling, 1 reply; 5+ messages in thread
From: Denis Grigorev @ 2023-12-21 14:16 UTC (permalink / raw)
To: ofono; +Cc: denkenz, d.grigorev
This addresses CVE-2023-4234.
---
src/smsutil.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/smsutil.c b/src/smsutil.c
index e9551b0d..6edf9ee6 100644
--- a/src/smsutil.c
+++ b/src/smsutil.c
@@ -942,10 +942,16 @@ static gboolean decode_submit_report(const unsigned char *pdu, int len,
return FALSE;
if (out->type == SMS_TYPE_SUBMIT_REPORT_ERROR) {
+ if (expected > (int) sizeof(out->submit_err_report.ud))
+ return FALSE;
+
out->submit_err_report.udl = udl;
memcpy(out->submit_err_report.ud,
pdu + offset, expected);
} else {
+ if (expected > (int) sizeof(out->submit_ack_report.ud))
+ return FALSE;
+
out->submit_ack_report.udl = udl;
memcpy(out->submit_ack_report.ud,
pdu + offset, expected);
--
2.17.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-12-22 19:38 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-12-21 14:16 [PATCH 0/2] CVE-2023-4233 and CVE-2023-4234 Denis Grigorev
2023-12-21 14:16 ` [PATCH 1/2] smsutil: Check that address fits in memory Denis Grigorev
2023-12-22 19:26 ` Denis Kenzior
2023-12-21 14:16 ` [PATCH 2/2] smsutil: Check that submit report " Denis Grigorev
2023-12-22 19:38 ` Denis Kenzior
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).