From 9c7a7fe29605d3d8bb5c0cfcee21a8f01ab9f4aa Mon Sep 17 00:00:00 2001 From: Denis Kenzior Date: Thu, 29 Feb 2024 11:18:25 -0600 Subject: [PATCH 1/4] smsutil: ensure the address length in bytes <= 10 If a specially formatted SMS is received, it is conceivable that the address length might overflow the structure it is being parsed into. Ensure that the length in bytes of the address never exceeds 10. CVE: CVE-2023-2794 Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=a90421d8e45d63b304dc010baba24633e7869682] Signed-off-by: Archana Polampalli --- src/smsutil.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/smsutil.c b/src/smsutil.c index f46507f..d3844f3 100644 --- a/src/smsutil.c +++ b/src/smsutil.c @@ -643,7 +643,12 @@ gboolean sms_decode_address_field(const unsigned char *pdu, int len, else byte_len = (addr_len + 1) / 2; - if ((len - *offset) < byte_len) + /* + * 23.040: + * The maximum length of the full address field + * (AddressLength, TypeofAddress and AddressValue) is 12 octets. + */ + if ((len - *offset) < byte_len || byte_len > 10) return FALSE; out->number_type = bit_field(addr_type, 4, 3); -- 2.40.0