plugin: Add debug output about closing and unloading plugins

Backport several security fixes from upstream

ofono/drivers/atmodem/sms.c

@@ -407,7 +407,7 @@ static void at_cmt_notify(GAtResult *result, gpointer user_data)
 	struct sms_data *data = ofono_sms_get_data(sms);
 	GAtResultIter iter;
 	const char *hexpdu;
-	unsigned char pdu[176];
+	unsigned char pdu[176] = {0};
 	long pdu_len;
 	int tpdu_len;
 
@@ -473,7 +473,7 @@ static void at_cmgr_notify(GAtResult *result, gpointer user_data)
 	struct sms_data *data = ofono_sms_get_data(sms);
 	GAtResultIter iter;
 	const char *hexpdu;
-	unsigned char pdu[176];
+	unsigned char pdu[176] = {0};
 	long pdu_len;
 	int tpdu_len;
 
@@ -655,7 +655,7 @@ static void at_cmgl_notify(GAtResult *result, gpointer user_data)
 	struct sms_data *data = ofono_sms_get_data(sms);
 	GAtResultIter iter;
 	const char *hexpdu;
-	unsigned char pdu[176];
+	unsigned char pdu[176] = {0};
 	long pdu_len;
 	int tpdu_len;
 	int index;

ofono/drivers/atmodem/ussd.c

@@ -105,7 +105,7 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
 	const char *content;
 	int dcs;
 	enum sms_charset charset;
-	unsigned char msg[160];
+	unsigned char msg[160] = {0};
 	const unsigned char *msg_ptr = NULL;
 	long msg_len;
 
@@ -123,6 +123,9 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
 	if (!g_at_result_iter_next_number(&iter, &dcs))
 		dcs = 0;
 
+	if (strlen(content) > sizeof(msg) * 2)
+		goto out;
+
 	if (!cbs_dcs_decode(dcs, NULL, NULL, &charset, NULL, NULL, NULL)) {
 		ofono_error("Unsupported USSD data coding scheme (%02x)", dcs);
 		status = 4; /* Not supported */

ofono/drivers/huaweimodem/ussd.c

@@ -50,7 +50,7 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
 	GAtResultIter iter;
 	int status, dcs;
 	const char *content;
-	unsigned char msg[160];
+	unsigned char msg[160] = {0};
 	const unsigned char *msg_ptr = NULL;
 	long msg_len;
 
@@ -68,6 +68,9 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
 	if (!g_at_result_iter_next_number(&iter, &dcs))
 		dcs = 0;
 
+	if (strlen(content) > sizeof(msg) * 2)
+		goto out;
+
 	msg_ptr = decode_hex_own_buf(content, -1, &msg_len, 0, msg);
 
 out:

ofono/drivers/speedupmodem/ussd.c

@@ -49,7 +49,7 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
 	GAtResultIter iter;
 	int status, dcs;
 	const char *content;
-	unsigned char msg[160];
+	unsigned char msg[160] = {0};
 	const unsigned char *msg_ptr = NULL;
 	long msg_len;
 
@@ -67,6 +67,9 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
 	if (!g_at_result_iter_next_number(&iter, &dcs))
 		dcs = 0;
 
+	if (strlen(content) > sizeof(msg) * 2)
+		goto out;
+
 	msg_ptr = decode_hex_own_buf(content, -1, &msg_len, 0, msg);
 
 out:

ofono/src/plugin.c

@@ -220,16 +220,20 @@ void __ofono_plugin_cleanup(void)
 	for (list = plugins; list; list = list->next) {
 		struct ofono_plugin *plugin = list->data;
 
-		if (plugin->active == TRUE && plugin->desc->exit)
+		if (plugin->active == TRUE && plugin->desc->exit) {
+			ofono_debug("Closing plugin %s", plugin->desc->name);
 			plugin->desc->exit();
+		}
 	}
 
 	/* Second pass - unload the libraries */
 	for (list = plugins; list; list = list->next) {
 		struct ofono_plugin *plugin = list->data;
 
-		if (plugin->handle)
+		if (plugin->handle) {
+			ofono_debug("Unloading plugin %s", plugin->desc->name);
 			dlclose(plugin->handle);
+		}
 	}
 
 	/* Finally, free the memory */

ofono/src/smsutil.c

@@ -783,6 +783,9 @@ static gboolean decode_deliver(const unsigned char *pdu, int len,
 
 	expected = sms_udl_in_bytes(out->deliver.udl, out->deliver.dcs);
 
+	if (expected < 0 || expected > (int)sizeof(out->deliver.ud))
+		return FALSE;
+
 	if ((len - offset) < expected)
 		return FALSE;
 
@@ -1087,6 +1090,9 @@ static gboolean decode_status_report(const unsigned char *pdu, int len,
 		if ((len - offset) < expected)
 			return FALSE;
 
+		if (expected > (int)sizeof(out->status_report.ud))
+			return FALSE;
+
 		memcpy(out->status_report.ud, pdu + offset, expected);
 	}
 
@@ -1236,10 +1242,16 @@ static gboolean decode_deliver_report(const unsigned char *pdu, int len,
 			return FALSE;
 
 		if (out->type == SMS_TYPE_DELIVER_REPORT_ERROR) {
+			if (expected > (int) sizeof(out->deliver_err_report.ud))
+				return FALSE;
+
 			out->deliver_err_report.udl = udl;
 			memcpy(out->deliver_err_report.ud,
 					pdu + offset, expected);
 		} else {
+			if (expected > (int) sizeof(out->deliver_ack_report.ud))
+				return FALSE;
+
 			out->deliver_ack_report.udl = udl;
 			memcpy(out->deliver_ack_report.ud,
 					pdu + offset, expected);
@@ -1474,6 +1486,9 @@ static gboolean decode_command(const unsigned char *pdu, int len,
 	if ((len - offset) < out->command.cdl)
 		return FALSE;
 
+	if (out->command.cdl > sizeof(out->command.cd))
+		return FALSE;
+
 	memcpy(out->command.cd, pdu + offset, out->command.cdl);
 
 	return TRUE;

ofono/src/stkutil.c

@@ -1816,6 +1816,10 @@ static bool parse_dataobj_frame_layout(struct comprehension_tlv_iter *iter,
 
 	fl->layout = data[0];
 	fl->len = len - 1;
+
+	if (fl->len > sizeof(fl->size))
+		return false;
+
 	memcpy(fl->size, data + 1, fl->len);
 
 	return true;
@@ -1909,6 +1913,10 @@ static bool parse_dataobj_mms_reference(struct comprehension_tlv_iter *iter,
 
 	data = comprehension_tlv_iter_get_data(iter);
 	mr->len = len;
+
+	if (len > sizeof(mr->ref))
+		return false;
+
 	memcpy(mr->ref, data, len);
 
 	return true;
@@ -1927,6 +1935,10 @@ static bool parse_dataobj_mms_id(struct comprehension_tlv_iter *iter,
 
 	data = comprehension_tlv_iter_get_data(iter);
 	mi->len = len;
+
+	if (len > sizeof(mi->id))
+		return false;
+
 	memcpy(mi->id, data, len);
 
 	return true;
@@ -1963,6 +1975,10 @@ static bool parse_dataobj_mms_content_id(
 
 	data = comprehension_tlv_iter_get_data(iter);
 	mci->len = len;
+
+	if (len > sizeof(mci->id))
+		return false;
+
 	memcpy(mci->id, data, len);
 
 	return true;