Check received PDUs fit in the buffer, fix buffer size.

2009-09-16 16:03:50 +02:00 · 2009-09-16 16:03:50 +02:00 · 6d2cf926f3
parent b83c7acfc9
commit 6d2cf926f3
1 changed files with 14 additions and 3 deletions
--- a/drivers/atmodem/sms.c
+++ b/drivers/atmodem/sms.c
@ -314,7 +314,7 @@ static void at_cmt_notify(GAtResult *result, gpointer user_data)
 	const char *hexpdu;
 	long pdu_len;
 	int tpdu_len;
-	unsigned char pdu[164];
+	unsigned char pdu[176];
 	char buf[256];

 	dump_response("at_cmt_notify", TRUE, result);
@ -324,6 +324,11 @@ static void at_cmt_notify(GAtResult *result, gpointer user_data)
 		return;
 	}

+	if (strlen(hexpdu) > sizeof(pdu) * 2) {
+		ofono_error("Bad PDU length in CMT notification");
+		return;
+	}
+
 	ofono_debug("Got new SMS Deliver PDU via CMT: %s, %d", hexpdu, tpdu_len);

 	decode_hex_own_buf(hexpdu, -1, &pdu_len, 0, pdu);
@ -344,7 +349,7 @@ static void at_cmgr_notify(GAtResult *result, gpointer user_data)
 	struct ofono_sms *sms = user_data;
 	GAtResultIter iter;
 	const char *hexpdu;
-	unsigned char pdu[164];
+	unsigned char pdu[176];
 	long pdu_len;
 	int tpdu_len;

@ -366,6 +371,9 @@ static void at_cmgr_notify(GAtResult *result, gpointer user_data)

 	hexpdu = g_at_result_pdu(result);

+	if (strlen(hexpdu) > sizeof(pdu) * 2)
+		goto err;
+
 	ofono_debug("Got PDU: %s, with len: %d", hexpdu, tpdu_len);

 	decode_hex_own_buf(hexpdu, -1, &pdu_len, 0, pdu);
@ -485,7 +493,7 @@ static void at_cmgl_notify(GAtResult *result, gpointer user_data)
 	struct sms_data *data = ofono_sms_get_data(sms);
 	GAtResultIter iter;
 	const char *hexpdu;
-	unsigned char pdu[164];
+	unsigned char pdu[176];
 	long pdu_len;
 	int tpdu_len;
 	int index;
@ -518,6 +526,9 @@ static void at_cmgl_notify(GAtResult *result, gpointer user_data)
 		ofono_debug("Found an old SMS PDU: %s, with len: %d",
 				hexpdu, tpdu_len);

+		if (strlen(hexpdu) > sizeof(pdu) * 2)
+			continue;
+
 		decode_hex_own_buf(hexpdu, -1, &pdu_len, 0, pdu);
 		ofono_sms_deliver_notify(sms, pdu, pdu_len, tpdu_len);