From 6d2cf926f3e8e87049ef13994488736b72760445 Mon Sep 17 00:00:00 2001 From: Andrzej Zaborowski Date: Wed, 16 Sep 2009 16:03:50 +0200 Subject: [PATCH] Check received PDUs fit in the buffer, fix buffer size. --- drivers/atmodem/sms.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/drivers/atmodem/sms.c b/drivers/atmodem/sms.c index 3b7e9e42..d4258186 100644 --- a/drivers/atmodem/sms.c +++ b/drivers/atmodem/sms.c @@ -314,7 +314,7 @@ static void at_cmt_notify(GAtResult *result, gpointer user_data) const char *hexpdu; long pdu_len; int tpdu_len; - unsigned char pdu[164]; + unsigned char pdu[176]; char buf[256]; dump_response("at_cmt_notify", TRUE, result); @@ -324,6 +324,11 @@ static void at_cmt_notify(GAtResult *result, gpointer user_data) return; } + if (strlen(hexpdu) > sizeof(pdu) * 2) { + ofono_error("Bad PDU length in CMT notification"); + return; + } + ofono_debug("Got new SMS Deliver PDU via CMT: %s, %d", hexpdu, tpdu_len); decode_hex_own_buf(hexpdu, -1, &pdu_len, 0, pdu); @@ -344,7 +349,7 @@ static void at_cmgr_notify(GAtResult *result, gpointer user_data) struct ofono_sms *sms = user_data; GAtResultIter iter; const char *hexpdu; - unsigned char pdu[164]; + unsigned char pdu[176]; long pdu_len; int tpdu_len; @@ -366,6 +371,9 @@ static void at_cmgr_notify(GAtResult *result, gpointer user_data) hexpdu = g_at_result_pdu(result); + if (strlen(hexpdu) > sizeof(pdu) * 2) + goto err; + ofono_debug("Got PDU: %s, with len: %d", hexpdu, tpdu_len); decode_hex_own_buf(hexpdu, -1, &pdu_len, 0, pdu); @@ -485,7 +493,7 @@ static void at_cmgl_notify(GAtResult *result, gpointer user_data) struct sms_data *data = ofono_sms_get_data(sms); GAtResultIter iter; const char *hexpdu; - unsigned char pdu[164]; + unsigned char pdu[176]; long pdu_len; int tpdu_len; int index; @@ -518,6 +526,9 @@ static void at_cmgl_notify(GAtResult *result, gpointer user_data) ofono_debug("Found an old SMS PDU: %s, with len: %d", hexpdu, tpdu_len); + if (strlen(hexpdu) > sizeof(pdu) * 2) + continue; + decode_hex_own_buf(hexpdu, -1, &pdu_len, 0, pdu); ofono_sms_deliver_notify(sms, pdu, pdu_len, tpdu_len);