From e6d8d526d5077c0b6ab459efeb6b882c28e0fdeb Mon Sep 17 00:00:00 2001 From: Ivaylo Dimitrov Date: Sun, 16 Mar 2025 12:26:42 +0200 Subject: [PATCH] qmi: sms: Fix possible out-of-bounds read Fixes: CVE-2024-7537 CVE: CVE-2024-7537 Upstream-Status: Backport [https://web.git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=e6d8d526d5077c0b6ab459efeb6b882c28e0fdeb] Signed-off-by: Peter Marko --- drivers/qmimodem/sms.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/drivers/qmimodem/sms.c b/drivers/qmimodem/sms.c index 3e2bef6e..75863480 100644 --- a/drivers/qmimodem/sms.c +++ b/drivers/qmimodem/sms.c @@ -467,6 +467,8 @@ static void get_msg_list_cb(struct qmi_result *result, void *user_data) const struct qmi_wms_result_msg_list *list; uint32_t cnt = 0; uint16_t tmp; + uint16_t length; + size_t msg_size; DBG(""); @@ -476,7 +478,7 @@ static void get_msg_list_cb(struct qmi_result *result, void *user_data) goto done; } - list = qmi_result_get(result, QMI_WMS_RESULT_MSG_LIST, NULL); + list = qmi_result_get(result, QMI_WMS_RESULT_MSG_LIST, &length); if (list == NULL) { DBG("Err: get msg list empty"); goto done; @@ -485,6 +487,13 @@ static void get_msg_list_cb(struct qmi_result *result, void *user_data) cnt = GUINT32_FROM_LE(list->cnt); DBG("msgs found %d", cnt); + msg_size = cnt * sizeof(list->msg[0]); + + if (length != sizeof(list->cnt) + msg_size) { + DBG("Err: invalid msg list count"); + goto done; + } + for (tmp = 0; tmp < cnt; tmp++) { DBG("unread type %d ndx %d", list->msg[tmp].type, GUINT32_FROM_LE(list->msg[tmp].ndx)); @@ -498,8 +507,6 @@ static void get_msg_list_cb(struct qmi_result *result, void *user_data) /* save list and get 1st msg */ if (cnt) { - int msg_size = cnt * sizeof(list->msg[0]); - data->msg_list = g_try_malloc0(sizeof(list->cnt) + msg_size); if (data->msg_list == NULL) goto done;