ubports-volte/ofono
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ussd: ensure ussd content fits in buffers

Browse Source 
Fixes: CVE-2024-7539
(cherry picked from commit 389e2344f86319265fb72ae590b470716e038fdc)

Origin: upstream, https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=389e2344f86319265fb72ae590b470716e038fdc
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078555
This commit is contained in:
Sicelo A. Mhlongo
2024-12-17 11:31:29 +02:00
committed by kuailexs
parent 47d385606f
commit d11edaa60d
3 changed files with 12 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
drivers/atmodem/ussd.c
View File

@@ -106,7 +106,7 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
const char *content;
int dcs;
enum sms_charset charset;
unsigned char msg[160];
unsigned char msg[160] = {0};
const unsigned char *msg_ptr = NULL;
long msg_len;
@@ -124,6 +124,9 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
if (!g_at_result_iter_next_number(&iter, &dcs))
dcs = 0;
if (strlen(content) > sizeof(msg) * 2)
goto out;
if (!cbs_dcs_decode(dcs, NULL, NULL, &charset, NULL, NULL, NULL)) {
ofono_error("Unsupported USSD data coding scheme (%02x)", dcs);
status = 4; /* Not supported */

5
drivers/huaweimodem/ussd.c
View File

@@ -50,7 +50,7 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
GAtResultIter iter;
int status, dcs;
const char *content;
unsigned char msg[160];
unsigned char msg[160] = {0};
const unsigned char *msg_ptr = NULL;
long msg_len;
@@ -68,6 +68,9 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
if (!g_at_result_iter_next_number(&iter, &dcs))
dcs = 0;
if (strlen(content) > sizeof(msg) * 2)
goto out;
msg_ptr = decode_hex_own_buf(content, -1, &msg_len, 0, msg);
out:

5
drivers/speedupmodem/ussd.c
View File

@@ -49,7 +49,7 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
GAtResultIter iter;
int status, dcs;
const char *content;
unsigned char msg[160];
unsigned char msg[160] = {0};
const unsigned char *msg_ptr = NULL;
long msg_len;
@@ -67,6 +67,9 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
if (!g_at_result_iter_next_number(&iter, &dcs))
dcs = 0;
if (strlen(content) > sizeof(msg) * 2)
goto out;
msg_ptr = decode_hex_own_buf(content, -1, &msg_len, 0, msg);
out: