打补丁

Fixes: CVE-2024-7539
(cherry picked from commit 389e2344f86319265fb72ae590b470716e038fdc)

Origin: upstream, https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=389e2344f86319265fb72ae590b470716e038fdc
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078555

debian/patches/0001-doc-ofonod.8-escape-minus-sign.patch

@@ -1,25 +0,0 @@
-From 20653ec096bd0e15c09926f8dfc7771bf2036b9a Mon Sep 17 00:00:00 2001
-From: Jonny Lamb <jonny@debian.org>
-Date: Mon, 29 Nov 2010 18:04:01 +0000
-Subject: [PATCH] doc/ofonod.8: escape minus sign
-
-I'm a sucker for lintian-cleanliness!
-
-Signed-off-by: Jonny Lamb <jonny@debian.org>
----
- doc/ofonod.8 |    2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
-
-Index: ofono-1.9/doc/ofonod.8
-===================================================================
---- ofono-1.9.orig/doc/ofonod.8	2010-08-02 08:17:42.000000000 +0300
-+++ ofono-1.9/doc/ofonod.8	2012-07-31 19:49:47.000000000 +0300
-@@ -18,7 +18,7 @@
- .SH OPTIONS
- .TP
- .B --debug, -d
--Enable debug information output. Note multiple arguments to -d can be
-+Enable debug information output. Note multiple arguments to \-d can be
- specified, colon, comma or space separated. The arguments are relative
- source code filenames for which debugging output should be enabled;
- output shell-style globs are accepted (e.g.: "plugins/*:src/main.c").

debian/patches/0002-Remove-After-syslog.target-from-systemd-.service-fil.patch

@@ -1,31 +0,0 @@
-From: Laurent Bigonville <bigon@bigon.be>
-Date: Sun, 29 Dec 2019 12:45:31 +0100
-Subject: Remove After=syslog.target from systemd .service files
-
----
- dundee/dundee.service.in | 1 -
- src/ofono.service.in     | 1 -
- 2 files changed, 2 deletions(-)
-
-diff --git a/dundee/dundee.service.in b/dundee/dundee.service.in
-index 82c5ef1..561cdf1 100644
---- a/dundee/dundee.service.in
-+++ b/dundee/dundee.service.in
-@@ -1,6 +1,5 @@
- [Unit]
- Description=DUN service
--After=syslog.target
- 
- [Service]
- Type=dbus
-diff --git a/src/ofono.service.in b/src/ofono.service.in
-index c24ac28..25f2d77 100644
---- a/src/ofono.service.in
-+++ b/src/ofono.service.in
-@@ -1,6 +1,5 @@
- [Unit]
- Description=Telephony service
--After=syslog.target
- 
- [Service]
- Type=dbus

debian/patches/0003-smsutil-Check-that-submit-report-fits-in-memory.patch

@@ -1,34 +0,0 @@
-From: Denis Grigorev <d.grigorev@omp.ru>
-Date: Thu, 21 Dec 2023 17:16:38 +0300
-Subject: smsutil: Check that submit report fits in memory
-
-This addresses CVE-2023-4234.
-
-Origin: upstream, https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=8d74bc66146ea78620d140640a0a57af86fc8936
-Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=2255399
-Bug-UBports: https://gitlab.com/ubports/ubuntu-touch/-/issues/2167
----
- src/smsutil.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/src/smsutil.c b/src/smsutil.c
-index 8e57a06..c25dbdb 100644
---- a/src/smsutil.c
-+++ b/src/smsutil.c
-@@ -938,10 +938,16 @@ static gboolean decode_submit_report(const unsigned char *pdu, int len,
- 			return FALSE;
- 
- 		if (out->type == SMS_TYPE_SUBMIT_REPORT_ERROR) {
-+			if (expected > (int) sizeof(out->submit_err_report.ud))
-+				return FALSE;
-+
- 			out->submit_err_report.udl = udl;
- 			memcpy(out->submit_err_report.ud,
- 					pdu + offset, expected);
- 		} else {
-+			if (expected > (int) sizeof(out->submit_ack_report.ud))
-+				return FALSE;
-+
- 			out->submit_ack_report.udl = udl;
- 			memcpy(out->submit_ack_report.ud,
- 					pdu + offset, expected);

debian/patches/0004-smsutil-Validate-the-length-of-the-address-field.patch

@@ -1,28 +0,0 @@
-From: Denis Grigorev <d.grigorev@omp.ru>
-Date: Fri, 29 Dec 2023 13:30:04 +0300
-Subject: smsutil: Validate the length of the address field
-
-This addresses CVE-2023-4233.
-
-Origin: upstream, https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=1a5fbefa59465bec80425add562bdb1d36ec8e23
-Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=2255396
-Bug-UBports: https://gitlab.com/ubports/ubuntu-touch/-/issues/2167
----
- src/smsutil.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/src/smsutil.c b/src/smsutil.c
-index c25dbdb..27c5065 100644
---- a/src/smsutil.c
-+++ b/src/smsutil.c
-@@ -627,6 +627,10 @@ gboolean sms_decode_address_field(const unsigned char *pdu, int len,
- 	if (!next_octet(pdu, len, offset, &addr_len))
- 		return FALSE;
- 
-+	/* According to 23.040 9.1.2.5 Address-Length must not exceed 20 */
-+	if (addr_len > 20)
-+		return FALSE;
-+
- 	if (sc && addr_len == 0) {
- 		out->address[0] = '\0';
- 		return TRUE;

debian/patches/CVE-2023-2794/0005-smsutil-ensure-the-address-length-in-bytes-10.patch

@@ -1,33 +0,0 @@
-From: Denis Kenzior <denkenz@gmail.com>
-Date: Thu, 29 Feb 2024 11:18:25 -0600
-Subject: smsutil: ensure the address length in bytes <= 10
-
-If a specially formatted SMS is received, it is conceivable that the
-address length might overflow the structure it is being parsed into.
-Ensure that the length in bytes of the address never exceeds 10.
-
-Origin: upstream, https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=a90421d8e45d63b304dc010baba24633e7869682
-Bug: https://bugzilla.redhat.com/show_bug.cgi?id=2255387
-Bug-UBports: https://gitlab.com/ubports/development/core/packaging/ofono/-/issues/2
----
- src/smsutil.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/src/smsutil.c b/src/smsutil.c
-index 27c5065..fadf625 100644
---- a/src/smsutil.c
-+++ b/src/smsutil.c
-@@ -644,7 +644,12 @@ gboolean sms_decode_address_field(const unsigned char *pdu, int len,
- 	else
- 		byte_len = (addr_len + 1) / 2;
- 
--	if ((len - *offset) < byte_len)
-+	/*
-+	 * 23.040:
-+	 * The maximum length of the full address field
-+	 * (AddressLength, TypeofAddress and AddressValue) is 12 octets.
-+	 */
-+	if ((len - *offset) < byte_len || byte_len > 10)
- 		return FALSE;
- 
- 	out->number_type = bit_field(addr_type, 4, 3);

debian/patches/CVE-2023-2794/0006-smsutil-Check-cbs_dcs_decode-return-value.patch

@@ -1,28 +0,0 @@
-From: Denis Kenzior <denkenz@gmail.com>
-Date: Thu, 29 Feb 2024 11:42:28 -0600
-Subject: smsutil: Check cbs_dcs_decode return value
-
-It is better to explicitly check the return value of cbs_dcs_decode
-instead of relying on udhi not being changed due to side-effects.
-
-Origin: upstream, https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=7f2adfa22fbae824f8e2c3ae86a3f51da31ee400
-Bug: https://bugzilla.redhat.com/show_bug.cgi?id=2255387
-Bug-UBports: https://gitlab.com/ubports/development/core/packaging/ofono/-/issues/2
----
- src/smsutil.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/src/smsutil.c b/src/smsutil.c
-index fadf625..1e136c5 100644
---- a/src/smsutil.c
-+++ b/src/smsutil.c
-@@ -1766,7 +1766,8 @@ gboolean sms_udh_iter_init_from_cbs(const struct cbs *cbs,
- 	const guint8 *hdr;
- 	guint8 max_ud_len;
- 
--	cbs_dcs_decode(cbs->dcs, &udhi, NULL, NULL, NULL, NULL, NULL);
-+	if (!cbs_dcs_decode(cbs->dcs, &udhi, NULL, NULL, NULL, NULL, NULL))
-+		return FALSE;
- 
- 	if (!udhi)
- 		return FALSE;

debian/patches/CVE-2023-2794/0007-simutil-Make-sure-set_length-on-the-parent-succeeds.patch

@@ -1,40 +0,0 @@
-From: Denis Kenzior <denkenz@gmail.com>
-Date: Thu, 29 Feb 2024 12:06:54 -0600
-Subject: simutil: Make sure set_length on the parent succeeds
-
-Origin: upstream, https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=07f48b23e3877ef7d15a7b0b8b79d32ad0a3607e
-Bug: https://bugzilla.redhat.com/show_bug.cgi?id=2255387
-Bug-UBports: https://gitlab.com/ubports/development/core/packaging/ofono/-/issues/2
----
- src/simutil.c | 11 ++++++-----
- 1 file changed, 6 insertions(+), 5 deletions(-)
-
-diff --git a/src/simutil.c b/src/simutil.c
-index 59d8d5d..0e131e8 100644
---- a/src/simutil.c
-+++ b/src/simutil.c
-@@ -588,8 +588,9 @@ gboolean ber_tlv_builder_set_length(struct ber_tlv_builder *builder,
- 	if (new_pos > builder->max)
- 		return FALSE;
- 
--	if (builder->parent)
--		ber_tlv_builder_set_length(builder->parent, new_pos);
-+	if (builder->parent &&
-+			!ber_tlv_builder_set_length(builder->parent, new_pos))
-+		return FALSE;
- 
- 	builder->len = new_len;
- 
-@@ -730,9 +731,9 @@ gboolean comprehension_tlv_builder_set_length(
- 	if (builder->pos + new_ctlv_len > builder->max)
- 		return FALSE;
- 
--	if (builder->parent)
--		ber_tlv_builder_set_length(builder->parent,
--						builder->pos + new_ctlv_len);
-+	if (builder->parent && !ber_tlv_builder_set_length(builder->parent,
-+						builder->pos + new_ctlv_len))
-+		return FALSE;
- 
- 	len = MIN(builder->len, new_len);
- 	if (len > 0 && new_len_size != len_size)

debian/patches/CVE-2023-2794/0008-smsutil-Use-a-safer-strlcpy.patch

@@ -1,123 +0,0 @@
-From: Denis Kenzior <denkenz@gmail.com>
-Date: Thu, 29 Feb 2024 17:16:00 -0600
-Subject: smsutil: Use a safer strlcpy
-
-sms_address_from_string is meant as private API, to be used with string
-form addresses that have already been sanitized.  However, to be safe,
-use a safe version of strcpy to avoid overflowing the buffer in case the
-input was not sanitized properly.  While here, add a '__' prefix to the
-function name to help make it clearer that this API is private and
-should be used with more care.
-
-Origin: upstream, https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=8fa1fdfcb54e1edb588c6a5e2688880b065a39c9
-Bug: https://bugzilla.redhat.com/show_bug.cgi?id=2255387
-Bug-UBports: https://gitlab.com/ubports/development/core/packaging/ofono/-/issues/2
----
- src/smsutil.c   | 14 +++++++-------
- src/smsutil.h   |  2 +-
- unit/test-sms.c |  6 +++---
- 3 files changed, 11 insertions(+), 11 deletions(-)
-
-diff --git a/src/smsutil.c b/src/smsutil.c
-index 1e136c5..e90bedf 100644
---- a/src/smsutil.c
-+++ b/src/smsutil.c
-@@ -1888,15 +1888,15 @@ time_t sms_scts_to_time(const struct sms_scts *scts, struct tm *remote)
- 	return ret;
- }
- 
--void sms_address_from_string(struct sms_address *addr, const char *str)
-+void __sms_address_from_string(struct sms_address *addr, const char *str)
- {
- 	addr->numbering_plan = SMS_NUMBERING_PLAN_ISDN;
- 	if (str[0] == '+') {
- 		addr->number_type = SMS_NUMBER_TYPE_INTERNATIONAL;
--		strcpy(addr->address, str + 1);
-+		l_strlcpy(addr->address, str + 1, sizeof(addr->address));
- 	} else {
- 		addr->number_type = SMS_NUMBER_TYPE_UNKNOWN;
--		strcpy(addr->address, str);
-+		l_strlcpy(addr->address, str, sizeof(addr->address));
- 	}
- }
- 
-@@ -3088,7 +3088,7 @@ gboolean status_report_assembly_report(struct status_report_assembly *assembly,
- 		}
- 	}
- 
--	sms_address_from_string(&addr, straddr);
-+	__sms_address_from_string(&addr, straddr);
- 
- 	if (pending == TRUE && node->deliverable == TRUE) {
- 		/*
-@@ -3181,7 +3181,7 @@ void status_report_assembly_expire(struct status_report_assembly *assembly,
- 	while (g_hash_table_iter_next(&iter_addr, (gpointer) &straddr,
- 					(gpointer) &id_table)) {
- 
--		sms_address_from_string(&addr, straddr);
-+		__sms_address_from_string(&addr, straddr);
- 		g_hash_table_iter_init(&iter_node, id_table);
- 
- 		/* Go through different messages. */
-@@ -3475,7 +3475,7 @@ GSList *sms_datagram_prepare(const char *to,
- 	template.submit.vp.relative = 0xA7; /* 24 Hours */
- 	template.submit.dcs = 0x04; /* Class Unspecified, 8 Bit */
- 	template.submit.udhi = TRUE;
--	sms_address_from_string(&template.submit.daddr, to);
-+	__sms_address_from_string(&template.submit.daddr, to);
- 
- 	offset = 1;
- 
-@@ -3602,7 +3602,7 @@ GSList *sms_text_prepare_with_alphabet(const char *to, const char *utf8,
- 	template.submit.srr = use_delivery_reports;
- 	template.submit.mr = 0;
- 	template.submit.vp.relative = 0xA7; /* 24 Hours */
--	sms_address_from_string(&template.submit.daddr, to);
-+	__sms_address_from_string(&template.submit.daddr, to);
- 
- 	/* There are two enums for the same thing */
- 	dialect = (enum gsm_dialect)alphabet;
-diff --git a/src/smsutil.h b/src/smsutil.h
-index 01487de..bc21504 100644
---- a/src/smsutil.h
-+++ b/src/smsutil.h
-@@ -487,7 +487,7 @@ int sms_udl_in_bytes(guint8 ud_len, guint8 dcs);
- time_t sms_scts_to_time(const struct sms_scts *scts, struct tm *remote);
- 
- const char *sms_address_to_string(const struct sms_address *addr);
--void sms_address_from_string(struct sms_address *addr, const char *str);
-+void __sms_address_from_string(struct sms_address *addr, const char *str);
- 
- const guint8 *sms_extract_common(const struct sms *sms, gboolean *out_udhi,
- 					guint8 *out_dcs, guint8 *out_udl,
-diff --git a/unit/test-sms.c b/unit/test-sms.c
-index 3bc099b..88293d5 100644
---- a/unit/test-sms.c
-+++ b/unit/test-sms.c
-@@ -1603,7 +1603,7 @@ static void test_sr_assembly(void)
- 			sr3.status_report.mr);
- 	}
- 
--	sms_address_from_string(&addr, "+4915259911630");
-+	__sms_address_from_string(&addr, "+4915259911630");
- 
- 	sra = status_report_assembly_new(NULL);
- 
-@@ -1626,7 +1626,7 @@ static void test_sr_assembly(void)
- 	 * Send sms-message in the national address-format,
- 	 * but receive in the international address-format.
- 	 */
--	sms_address_from_string(&addr, "9911630");
-+	__sms_address_from_string(&addr, "9911630");
- 	status_report_assembly_add_fragment(sra, sha1, &addr, 4, time(NULL), 2);
- 	status_report_assembly_add_fragment(sra, sha1, &addr, 5, time(NULL), 2);
- 
-@@ -1641,7 +1641,7 @@ static void test_sr_assembly(void)
- 	 * Send sms-message in the international address-format,
- 	 * but receive in the national address-format.
- 	 */
--	sms_address_from_string(&addr, "+358123456789");
-+	__sms_address_from_string(&addr, "+358123456789");
- 	status_report_assembly_add_fragment(sra, sha1, &addr, 6, time(NULL), 1);
- 
- 	g_assert(status_report_assembly_report(sra, &sr3, id, &delivered));

debian/patches/CVE-2023-2794/0009-smsutil-check-that-user-data-length-fits-in-internal.patch

@@ -1,29 +0,0 @@
-From: Jean-Marie Lemetayer <j.lemetayer@kerlink.fr>
-Date: Mon, 12 Aug 2024 10:51:34 +0200
-Subject: smsutil: check that user data length fits in internal buffer
-
-This addresses CVE-2023-2794.
-
-(cherry picked from commit 5209fd65ff41653d7725e407ccc359c54bb3121f)
-
-Origin: upstream, https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=5209fd65ff41653d7725e407ccc359c54bb3121f
-Bug: https://bugzilla.redhat.com/show_bug.cgi?id=2255387
-Bug-UBports: https://gitlab.com/ubports/development/core/packaging/ofono/-/issues/2
----
- src/smsutil.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/src/smsutil.c b/src/smsutil.c
-index e90bedf..d0bd216 100644
---- a/src/smsutil.c
-+++ b/src/smsutil.c
-@@ -785,6 +785,9 @@ static gboolean decode_deliver(const unsigned char *pdu, int len,
- 
- 	expected = sms_udl_in_bytes(out->deliver.udl, out->deliver.dcs);
- 
-+	if (expected < 0 || expected > (int)sizeof(out->deliver.ud))
-+		return FALSE;
-+
- 	if ((len - offset) < expected)
- 		return FALSE;
- 

debian/patches/CVEs/0010-stkutil-Fix-CVE-2024-7544.patch

@@ -1,27 +0,0 @@
-From: Ivaylo Dimitrov <ivo.g.dimitrov.75@gmail.com>
-Date: Tue, 3 Dec 2024 21:43:49 +0200
-Subject: stkutil: Fix CVE-2024-7544
-
-(cherry picked from commit a240705a0d5d41eca6de4125ab2349ecde4c873a)
-
-Origin: upstream, https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=a240705a0d5d41eca6de4125ab2349ecde4c873a
-Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078555
----
- src/stkutil.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/src/stkutil.c b/src/stkutil.c
-index 4f31af4..aef1bb8 100644
---- a/src/stkutil.c
-+++ b/src/stkutil.c
-@@ -1894,6 +1894,10 @@ static bool parse_dataobj_mms_id(struct comprehension_tlv_iter *iter,
- 
- 	data = comprehension_tlv_iter_get_data(iter);
- 	mi->len = len;
-+
-+	if (len > sizeof(mi->id))
-+		return false;
-+
- 	memcpy(mi->id, data, len);
- 
- 	return true;

debian/patches/CVEs/0011-stkutil-Fix-CVE-2024-7543.patch

@@ -1,27 +0,0 @@
-From: Ivaylo Dimitrov <ivo.g.dimitrov.75@gmail.com>
-Date: Tue, 3 Dec 2024 21:43:50 +0200
-Subject: stkutil: Fix CVE-2024-7543
-
-(cherry picked from commit 90e60ada012de42964214d8155260f5749d0dcc7)
-
-Origin: upstream, https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=90e60ada012de42964214d8155260f5749d0dcc7
-Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078555
----
- src/stkutil.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/src/stkutil.c b/src/stkutil.c
-index aef1bb8..475caaa 100644
---- a/src/stkutil.c
-+++ b/src/stkutil.c
-@@ -1876,6 +1876,10 @@ static bool parse_dataobj_mms_reference(struct comprehension_tlv_iter *iter,
- 
- 	data = comprehension_tlv_iter_get_data(iter);
- 	mr->len = len;
-+
-+	if (len > sizeof(mr->ref))
-+		return false;
-+
- 	memcpy(mr->ref, data, len);
- 
- 	return true;

debian/patches/CVEs/0012-Fix-CVE-2024-7547.patch

@@ -1,26 +0,0 @@
-From: Ivaylo Dimitrov <ivo.g.dimitrov.75@gmail.com>
-Date: Tue, 3 Dec 2024 21:43:51 +0200
-Subject: Fix CVE-2024-7547
-
-(cherry picked from commit 305df050d02aea8532f7625d6642685aa530f9b0)
-
-Origin: upstream, https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=305df050d02aea8532f7625d6642685aa530f9b0
-Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078555
----
- src/smsutil.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/src/smsutil.c b/src/smsutil.c
-index d0bd216..81d34a5 100644
---- a/src/smsutil.c
-+++ b/src/smsutil.c
-@@ -1479,6 +1479,9 @@ static gboolean decode_command(const unsigned char *pdu, int len,
- 	if ((len - offset) < out->command.cdl)
- 		return FALSE;
- 
-+	if (out->command.cdl > sizeof(out->command.cd))
-+		return FALSE;
-+
- 	memcpy(out->command.cd, pdu + offset, out->command.cdl);
- 
- 	return TRUE;

debian/patches/CVEs/0013-Fix-CVE-2024-7546.patch

@@ -1,27 +0,0 @@
-From: Ivaylo Dimitrov <ivo.g.dimitrov.75@gmail.com>
-Date: Tue, 3 Dec 2024 21:43:52 +0200
-Subject: Fix CVE-2024-7546
-
-(cherry picked from commit 79ea6677669e50b0bb9c231765adb4f81c375f63)
-
-Origin: upstream, https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=79ea6677669e50b0bb9c231765adb4f81c375f63
-Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078555
----
- src/stkutil.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/src/stkutil.c b/src/stkutil.c
-index 475caaa..2bcb509 100644
---- a/src/stkutil.c
-+++ b/src/stkutil.c
-@@ -1783,6 +1783,10 @@ static bool parse_dataobj_frame_layout(struct comprehension_tlv_iter *iter,
- 
- 	fl->layout = data[0];
- 	fl->len = len - 1;
-+
-+	if (fl->len > sizeof(fl->size))
-+		return false;
-+
- 	memcpy(fl->size, data + 1, fl->len);
- 
- 	return true;

debian/patches/CVEs/0014-stkutil-ensure-data-fits-in-buffer.patch

@@ -1,29 +0,0 @@
-From: "Sicelo A. Mhlongo" <absicsz@gmail.com>
-Date: Wed, 4 Dec 2024 12:07:34 +0200
-Subject: stkutil: ensure data fits in buffer
-
-Fixes CVE-2024-7545
-
-(cherry picked from commit 556e14548c38c2b96d85881542046ee7ed750bb5)
-
-Origin: upstream, https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=556e14548c38c2b96d85881542046ee7ed750bb5
-Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078555
----
- src/stkutil.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/src/stkutil.c b/src/stkutil.c
-index 2bcb509..88a715d 100644
---- a/src/stkutil.c
-+++ b/src/stkutil.c
-@@ -1942,6 +1942,10 @@ static bool parse_dataobj_mms_content_id(
- 
- 	data = comprehension_tlv_iter_get_data(iter);
- 	mci->len = len;
-+
-+	if (len > sizeof(mci->id))
-+		return false;
-+
- 	memcpy(mci->id, data, len);
- 
- 	return true;

debian/patches/CVEs/0015-smsutil-check-deliver-reports-fit-in-buffer.patch

@@ -1,34 +0,0 @@
-From: "Sicelo A. Mhlongo" <absicsz@gmail.com>
-Date: Wed, 4 Dec 2024 10:18:51 +0200
-Subject: smsutil: check deliver reports fit in buffer
-
-Fixes CVE-2023-4235
-
-(cherry picked from commit 02aa0f9bad3d9e47a152fc045d0f51874d901d7e)
-
-Origin: upstream, https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=02aa0f9bad3d9e47a152fc045d0f51874d901d7e
----
- src/smsutil.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/src/smsutil.c b/src/smsutil.c
-index 81d34a5..311f31d 100644
---- a/src/smsutil.c
-+++ b/src/smsutil.c
-@@ -1241,10 +1241,16 @@ static gboolean decode_deliver_report(const unsigned char *pdu, int len,
- 			return FALSE;
- 
- 		if (out->type == SMS_TYPE_DELIVER_REPORT_ERROR) {
-+			if (expected > (int) sizeof(out->deliver_err_report.ud))
-+				return FALSE;
-+
- 			out->deliver_err_report.udl = udl;
- 			memcpy(out->deliver_err_report.ud,
- 					pdu + offset, expected);
- 		} else {
-+			if (expected > (int) sizeof(out->deliver_ack_report.ud))
-+				return FALSE;
-+
- 			out->deliver_ack_report.udl = udl;
- 			memcpy(out->deliver_ack_report.ud,
- 					pdu + offset, expected);

debian/patches/CVEs/0016-smsutil-check-status-report-fits-in-buffer.patch

@@ -1,27 +0,0 @@
-From: "Sicelo A. Mhlongo" <absicsz@gmail.com>
-Date: Wed, 4 Dec 2024 10:18:52 +0200
-Subject: smsutil: check status report fits in buffer
-
-Fixes CVE-2023-4232
-
-(cherry picked from commit 2ff2da7ac374a790f8b2a0216bcb4e3126498225)
-
-Origin: upstream, https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=2ff2da7ac374a790f8b2a0216bcb4e3126498225
----
- src/smsutil.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/src/smsutil.c b/src/smsutil.c
-index 311f31d..119407f 100644
---- a/src/smsutil.c
-+++ b/src/smsutil.c
-@@ -1092,6 +1092,9 @@ static gboolean decode_status_report(const unsigned char *pdu, int len,
- 		if ((len - offset) < expected)
- 			return FALSE;
- 
-+		if (expected > (int)sizeof(out->status_report.ud))
-+			return FALSE;
-+
- 		memcpy(out->status_report.ud, pdu + offset, expected);
- 	}
- 

debian/patches/CVEs/0017-atmodem-sms-ensure-buffer-is-initialized-before-use.patch

@@ -1,46 +0,0 @@
-From: "Sicelo A. Mhlongo" <absicsz@gmail.com>
-Date: Tue, 17 Dec 2024 11:31:28 +0200
-Subject: atmodem: sms: ensure buffer is initialized before use
-
-Fixes: CVE-2024-7540
-Fixes: CVE-2024-7541
-Fixes: CVE-2024-7542
-(cherry picked from commit 29ff6334b492504ace101be748b256e6953d2c2f)
-
-Origin: upstream, https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=29ff6334b492504ace101be748b256e6953d2c2f
-Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078555
----
- drivers/atmodem/sms.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/atmodem/sms.c b/drivers/atmodem/sms.c
-index 963c22e..cf8a2b8 100644
---- a/drivers/atmodem/sms.c
-+++ b/drivers/atmodem/sms.c
-@@ -412,7 +412,7 @@ static void at_cmt_notify(GAtResult *result, gpointer user_data)
- 	struct sms_data *data = ofono_sms_get_data(sms);
- 	GAtResultIter iter;
- 	const char *hexpdu;
--	unsigned char pdu[176];
-+	unsigned char pdu[176] = {0};
- 	long pdu_len;
- 	int tpdu_len;
- 
-@@ -479,7 +479,7 @@ static void at_cmgr_notify(GAtResult *result, gpointer user_data)
- 	struct sms_data *data = ofono_sms_get_data(sms);
- 	GAtResultIter iter;
- 	const char *hexpdu;
--	unsigned char pdu[176];
-+	unsigned char pdu[176] = {0};
- 	long pdu_len;
- 	int tpdu_len;
- 
-@@ -661,7 +661,7 @@ static void at_cmgl_notify(GAtResult *result, gpointer user_data)
- 	struct sms_data *data = ofono_sms_get_data(sms);
- 	GAtResultIter iter;
- 	const char *hexpdu;
--	unsigned char pdu[176];
-+	unsigned char pdu[176] = {0};
- 	long pdu_len;
- 	int tpdu_len;
- 	int index;

debian/patches/CVEs/0018-ussd-ensure-ussd-content-fits-in-buffers.patch

@@ -1,84 +0,0 @@
-From: "Sicelo A. Mhlongo" <absicsz@gmail.com>
-Date: Tue, 17 Dec 2024 11:31:29 +0200
-Subject: ussd: ensure ussd content fits in buffers
-
-Fixes: CVE-2024-7539
-(cherry picked from commit 389e2344f86319265fb72ae590b470716e038fdc)
-
-Origin: upstream, https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=389e2344f86319265fb72ae590b470716e038fdc
-Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078555
----
- drivers/atmodem/ussd.c      | 5 ++++-
- drivers/huaweimodem/ussd.c  | 5 ++++-
- drivers/speedupmodem/ussd.c | 5 ++++-
- 3 files changed, 12 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/atmodem/ussd.c b/drivers/atmodem/ussd.c
-index 3be1832..8538cc6 100644
---- a/drivers/atmodem/ussd.c
-+++ b/drivers/atmodem/ussd.c
-@@ -106,7 +106,7 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
- 	const char *content;
- 	int dcs;
- 	enum sms_charset charset;
--	unsigned char msg[160];
-+	unsigned char msg[160] = {0};
- 	const unsigned char *msg_ptr = NULL;
- 	long msg_len;
- 
-@@ -124,6 +124,9 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
- 	if (!g_at_result_iter_next_number(&iter, &dcs))
- 		dcs = 0;
- 
-+	if (strlen(content) > sizeof(msg) * 2)
-+		goto out;
-+
- 	if (!cbs_dcs_decode(dcs, NULL, NULL, &charset, NULL, NULL, NULL)) {
- 		ofono_error("Unsupported USSD data coding scheme (%02x)", dcs);
- 		status = 4; /* Not supported */
-diff --git a/drivers/huaweimodem/ussd.c b/drivers/huaweimodem/ussd.c
-index fbed3cd..4160b7d 100644
---- a/drivers/huaweimodem/ussd.c
-+++ b/drivers/huaweimodem/ussd.c
-@@ -50,7 +50,7 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
- 	GAtResultIter iter;
- 	int status, dcs;
- 	const char *content;
--	unsigned char msg[160];
-+	unsigned char msg[160] = {0};
- 	const unsigned char *msg_ptr = NULL;
- 	long msg_len;
- 
-@@ -68,6 +68,9 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
- 	if (!g_at_result_iter_next_number(&iter, &dcs))
- 		dcs = 0;
- 
-+	if (strlen(content) > sizeof(msg) * 2)
-+		goto out;
-+
- 	msg_ptr = decode_hex_own_buf(content, -1, &msg_len, 0, msg);
- 
- out:
-diff --git a/drivers/speedupmodem/ussd.c b/drivers/speedupmodem/ussd.c
-index 57b91d7..99af19a 100644
---- a/drivers/speedupmodem/ussd.c
-+++ b/drivers/speedupmodem/ussd.c
-@@ -49,7 +49,7 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
- 	GAtResultIter iter;
- 	int status, dcs;
- 	const char *content;
--	unsigned char msg[160];
-+	unsigned char msg[160] = {0};
- 	const unsigned char *msg_ptr = NULL;
- 	long msg_len;
- 
-@@ -67,6 +67,9 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
- 	if (!g_at_result_iter_next_number(&iter, &dcs))
- 		dcs = 0;
- 
-+	if (strlen(content) > sizeof(msg) * 2)
-+		goto out;
-+
- 	msg_ptr = decode_hex_own_buf(content, -1, &msg_len, 0, msg);
- 
- out:

debian/patches/series

@@ -1,18 +0,0 @@
-0001-doc-ofonod.8-escape-minus-sign.patch
-0002-Remove-After-syslog.target-from-systemd-.service-fil.patch
-0003-smsutil-Check-that-submit-report-fits-in-memory.patch
-0004-smsutil-Validate-the-length-of-the-address-field.patch
-CVE-2023-2794/0005-smsutil-ensure-the-address-length-in-bytes-10.patch
-CVE-2023-2794/0006-smsutil-Check-cbs_dcs_decode-return-value.patch
-CVE-2023-2794/0007-simutil-Make-sure-set_length-on-the-parent-succeeds.patch
-CVE-2023-2794/0008-smsutil-Use-a-safer-strlcpy.patch
-CVE-2023-2794/0009-smsutil-check-that-user-data-length-fits-in-internal.patch
-CVEs/0010-stkutil-Fix-CVE-2024-7544.patch
-CVEs/0011-stkutil-Fix-CVE-2024-7543.patch
-CVEs/0012-Fix-CVE-2024-7547.patch
-CVEs/0013-Fix-CVE-2024-7546.patch
-CVEs/0014-stkutil-ensure-data-fits-in-buffer.patch
-CVEs/0015-smsutil-check-deliver-reports-fit-in-buffer.patch
-CVEs/0016-smsutil-check-status-report-fits-in-buffer.patch
-CVEs/0017-atmodem-sms-ensure-buffer-is-initialized-before-use.patch
-CVEs/0018-ussd-ensure-ussd-content-fits-in-buffers.patch

doc/ofonod.8

@@ -18,7 +18,7 @@ is used to manage \fID-Bus\fP permissions for oFono.
 .SH OPTIONS
 .TP
 .B --debug, -d
-Enable debug information output. Note multiple arguments to -d can be
+Enable debug information output. Note multiple arguments to \-d can be
 specified, colon, comma or space separated. The arguments are relative
 source code filenames for which debugging output should be enabled;
 output shell-style globs are accepted (e.g.: "plugins/*:src/main.c").

drivers/atmodem/sms.c

@@ -412,7 +412,7 @@ static void at_cmt_notify(GAtResult *result, gpointer user_data)
 	struct sms_data *data = ofono_sms_get_data(sms);
 	GAtResultIter iter;
 	const char *hexpdu;
-	unsigned char pdu[176];
+	unsigned char pdu[176] = {0};
 	long pdu_len;
 	int tpdu_len;
 
@@ -479,7 +479,7 @@ static void at_cmgr_notify(GAtResult *result, gpointer user_data)
 	struct sms_data *data = ofono_sms_get_data(sms);
 	GAtResultIter iter;
 	const char *hexpdu;
-	unsigned char pdu[176];
+	unsigned char pdu[176] = {0};
 	long pdu_len;
 	int tpdu_len;
 
@@ -661,7 +661,7 @@ static void at_cmgl_notify(GAtResult *result, gpointer user_data)
 	struct sms_data *data = ofono_sms_get_data(sms);
 	GAtResultIter iter;
 	const char *hexpdu;
-	unsigned char pdu[176];
+	unsigned char pdu[176] = {0};
 	long pdu_len;
 	int tpdu_len;
 	int index;

drivers/atmodem/ussd.c

@@ -106,7 +106,7 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
 	const char *content;
 	int dcs;
 	enum sms_charset charset;
-	unsigned char msg[160];
+	unsigned char msg[160] = {0};
 	const unsigned char *msg_ptr = NULL;
 	long msg_len;
 
@@ -124,6 +124,9 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
 	if (!g_at_result_iter_next_number(&iter, &dcs))
 		dcs = 0;
 
+	if (strlen(content) > sizeof(msg) * 2)
+		goto out;
+
 	if (!cbs_dcs_decode(dcs, NULL, NULL, &charset, NULL, NULL, NULL)) {
 		ofono_error("Unsupported USSD data coding scheme (%02x)", dcs);
 		status = 4; /* Not supported */

drivers/huaweimodem/ussd.c

@@ -50,7 +50,7 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
 	GAtResultIter iter;
 	int status, dcs;
 	const char *content;
-	unsigned char msg[160];
+	unsigned char msg[160] = {0};
 	const unsigned char *msg_ptr = NULL;
 	long msg_len;
 
@@ -68,6 +68,9 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
 	if (!g_at_result_iter_next_number(&iter, &dcs))
 		dcs = 0;
 
+	if (strlen(content) > sizeof(msg) * 2)
+		goto out;
+
 	msg_ptr = decode_hex_own_buf(content, -1, &msg_len, 0, msg);
 
 out:

drivers/speedupmodem/ussd.c

@@ -49,7 +49,7 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
 	GAtResultIter iter;
 	int status, dcs;
 	const char *content;
-	unsigned char msg[160];
+	unsigned char msg[160] = {0};
 	const unsigned char *msg_ptr = NULL;
 	long msg_len;
 
@@ -67,6 +67,9 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
 	if (!g_at_result_iter_next_number(&iter, &dcs))
 		dcs = 0;
 
+	if (strlen(content) > sizeof(msg) * 2)
+		goto out;
+
 	msg_ptr = decode_hex_own_buf(content, -1, &msg_len, 0, msg);
 
 out:

dundee/dundee.service.in

@@ -1,6 +1,5 @@
 [Unit]
 Description=DUN service
-After=syslog.target
 
 [Service]
 Type=dbus

src/ofono.service.in

@@ -1,6 +1,5 @@
 [Unit]
 Description=Telephony service
-After=syslog.target
 
 [Service]
 Type=dbus

src/simutil.c

@@ -588,8 +588,9 @@ gboolean ber_tlv_builder_set_length(struct ber_tlv_builder *builder,
 	if (new_pos > builder->max)
 		return FALSE;
 
-	if (builder->parent)
-		ber_tlv_builder_set_length(builder->parent, new_pos);
+	if (builder->parent &&
+			!ber_tlv_builder_set_length(builder->parent, new_pos))
+		return FALSE;
 
 	builder->len = new_len;
 
@@ -730,9 +731,9 @@ gboolean comprehension_tlv_builder_set_length(
 	if (builder->pos + new_ctlv_len > builder->max)
 		return FALSE;
 
-	if (builder->parent)
-		ber_tlv_builder_set_length(builder->parent,
-						builder->pos + new_ctlv_len);
+	if (builder->parent && !ber_tlv_builder_set_length(builder->parent,
+						builder->pos + new_ctlv_len))
+		return FALSE;
 
 	len = MIN(builder->len, new_len);
 	if (len > 0 && new_len_size != len_size)

src/smsutil.c

@@ -627,6 +627,10 @@ gboolean sms_decode_address_field(const unsigned char *pdu, int len,
 	if (!next_octet(pdu, len, offset, &addr_len))
 		return FALSE;
 
+	/* According to 23.040 9.1.2.5 Address-Length must not exceed 20 */
+	if (addr_len > 20)
+		return FALSE;
+
 	if (sc && addr_len == 0) {
 		out->address[0] = '\0';
 		return TRUE;
@@ -640,7 +644,12 @@ gboolean sms_decode_address_field(const unsigned char *pdu, int len,
 	else
 		byte_len = (addr_len + 1) / 2;
 
-	if ((len - *offset) < byte_len)
+	/*
+	 * 23.040:
+	 * The maximum length of the full address field
+	 * (AddressLength, TypeofAddress and AddressValue) is 12 octets.
+	 */
+	if ((len - *offset) < byte_len || byte_len > 10)
 		return FALSE;
 
 	out->number_type = bit_field(addr_type, 4, 3);
@@ -776,6 +785,9 @@ static gboolean decode_deliver(const unsigned char *pdu, int len,
 
 	expected = sms_udl_in_bytes(out->deliver.udl, out->deliver.dcs);
 
+	if (expected < 0 || expected > (int)sizeof(out->deliver.ud))
+		return FALSE;
+
 	if ((len - offset) < expected)
 		return FALSE;
 
@@ -938,10 +950,16 @@ static gboolean decode_submit_report(const unsigned char *pdu, int len,
 			return FALSE;
 
 		if (out->type == SMS_TYPE_SUBMIT_REPORT_ERROR) {
+			if (expected > (int) sizeof(out->submit_err_report.ud))
+				return FALSE;
+
 			out->submit_err_report.udl = udl;
 			memcpy(out->submit_err_report.ud,
 					pdu + offset, expected);
 		} else {
+			if (expected > (int) sizeof(out->submit_ack_report.ud))
+				return FALSE;
+
 			out->submit_ack_report.udl = udl;
 			memcpy(out->submit_ack_report.ud,
 					pdu + offset, expected);
@@ -1074,6 +1092,9 @@ static gboolean decode_status_report(const unsigned char *pdu, int len,
 		if ((len - offset) < expected)
 			return FALSE;
 
+		if (expected > (int)sizeof(out->status_report.ud))
+			return FALSE;
+
 		memcpy(out->status_report.ud, pdu + offset, expected);
 	}
 
@@ -1223,10 +1244,16 @@ static gboolean decode_deliver_report(const unsigned char *pdu, int len,
 			return FALSE;
 
 		if (out->type == SMS_TYPE_DELIVER_REPORT_ERROR) {
+			if (expected > (int) sizeof(out->deliver_err_report.ud))
+				return FALSE;
+
 			out->deliver_err_report.udl = udl;
 			memcpy(out->deliver_err_report.ud,
 					pdu + offset, expected);
 		} else {
+			if (expected > (int) sizeof(out->deliver_ack_report.ud))
+				return FALSE;
+
 			out->deliver_ack_report.udl = udl;
 			memcpy(out->deliver_ack_report.ud,
 					pdu + offset, expected);
@@ -1461,6 +1488,9 @@ static gboolean decode_command(const unsigned char *pdu, int len,
 	if ((len - offset) < out->command.cdl)
 		return FALSE;
 
+	if (out->command.cdl > sizeof(out->command.cd))
+		return FALSE;
+
 	memcpy(out->command.cd, pdu + offset, out->command.cdl);
 
 	return TRUE;
@@ -1751,7 +1781,8 @@ gboolean sms_udh_iter_init_from_cbs(const struct cbs *cbs,
 	const guint8 *hdr;
 	guint8 max_ud_len;
 
-	cbs_dcs_decode(cbs->dcs, &udhi, NULL, NULL, NULL, NULL, NULL);
+	if (!cbs_dcs_decode(cbs->dcs, &udhi, NULL, NULL, NULL, NULL, NULL))
+		return FALSE;
 
 	if (!udhi)
 		return FALSE;
@@ -1872,15 +1903,15 @@ time_t sms_scts_to_time(const struct sms_scts *scts, struct tm *remote)
 	return ret;
 }
 
-void sms_address_from_string(struct sms_address *addr, const char *str)
+void __sms_address_from_string(struct sms_address *addr, const char *str)
 {
 	addr->numbering_plan = SMS_NUMBERING_PLAN_ISDN;
 	if (str[0] == '+') {
 		addr->number_type = SMS_NUMBER_TYPE_INTERNATIONAL;
-		strcpy(addr->address, str + 1);
+		l_strlcpy(addr->address, str + 1, sizeof(addr->address));
 	} else {
 		addr->number_type = SMS_NUMBER_TYPE_UNKNOWN;
-		strcpy(addr->address, str);
+		l_strlcpy(addr->address, str, sizeof(addr->address));
 	}
 }
 
@@ -3072,7 +3103,7 @@ gboolean status_report_assembly_report(struct status_report_assembly *assembly,
 		}
 	}
 
-	sms_address_from_string(&addr, straddr);
+	__sms_address_from_string(&addr, straddr);
 
 	if (pending == TRUE && node->deliverable == TRUE) {
 		/*
@@ -3165,7 +3196,7 @@ void status_report_assembly_expire(struct status_report_assembly *assembly,
 	while (g_hash_table_iter_next(&iter_addr, (gpointer) &straddr,
 					(gpointer) &id_table)) {
 
-		sms_address_from_string(&addr, straddr);
+		__sms_address_from_string(&addr, straddr);
 		g_hash_table_iter_init(&iter_node, id_table);
 
 		/* Go through different messages. */
@@ -3459,7 +3490,7 @@ GSList *sms_datagram_prepare(const char *to,
 	template.submit.vp.relative = 0xA7; /* 24 Hours */
 	template.submit.dcs = 0x04; /* Class Unspecified, 8 Bit */
 	template.submit.udhi = TRUE;
-	sms_address_from_string(&template.submit.daddr, to);
+	__sms_address_from_string(&template.submit.daddr, to);
 
 	offset = 1;
 
@@ -3586,7 +3617,7 @@ GSList *sms_text_prepare_with_alphabet(const char *to, const char *utf8,
 	template.submit.srr = use_delivery_reports;
 	template.submit.mr = 0;
 	template.submit.vp.relative = 0xA7; /* 24 Hours */
-	sms_address_from_string(&template.submit.daddr, to);
+	__sms_address_from_string(&template.submit.daddr, to);
 
 	/* There are two enums for the same thing */
 	dialect = (enum gsm_dialect)alphabet;

src/smsutil.h

@@ -487,7 +487,7 @@ int sms_udl_in_bytes(guint8 ud_len, guint8 dcs);
 time_t sms_scts_to_time(const struct sms_scts *scts, struct tm *remote);
 
 const char *sms_address_to_string(const struct sms_address *addr);
-void sms_address_from_string(struct sms_address *addr, const char *str);
+void __sms_address_from_string(struct sms_address *addr, const char *str);
 
 const guint8 *sms_extract_common(const struct sms *sms, gboolean *out_udhi,
 					guint8 *out_dcs, guint8 *out_udl,

src/stkutil.c

@@ -1783,6 +1783,10 @@ static bool parse_dataobj_frame_layout(struct comprehension_tlv_iter *iter,
 
 	fl->layout = data[0];
 	fl->len = len - 1;
+
+	if (fl->len > sizeof(fl->size))
+		return false;
+
 	memcpy(fl->size, data + 1, fl->len);
 
 	return true;
@@ -1876,6 +1880,10 @@ static bool parse_dataobj_mms_reference(struct comprehension_tlv_iter *iter,
 
 	data = comprehension_tlv_iter_get_data(iter);
 	mr->len = len;
+
+	if (len > sizeof(mr->ref))
+		return false;
+
 	memcpy(mr->ref, data, len);
 
 	return true;
@@ -1894,6 +1902,10 @@ static bool parse_dataobj_mms_id(struct comprehension_tlv_iter *iter,
 
 	data = comprehension_tlv_iter_get_data(iter);
 	mi->len = len;
+
+	if (len > sizeof(mi->id))
+		return false;
+
 	memcpy(mi->id, data, len);
 
 	return true;
@@ -1930,6 +1942,10 @@ static bool parse_dataobj_mms_content_id(
 
 	data = comprehension_tlv_iter_get_data(iter);
 	mci->len = len;
+
+	if (len > sizeof(mci->id))
+		return false;
+
 	memcpy(mci->id, data, len);
 
 	return true;

unit/test-sms.c

@@ -1603,7 +1603,7 @@ static void test_sr_assembly(void)
 			sr3.status_report.mr);
 	}
 
-	sms_address_from_string(&addr, "+4915259911630");
+	__sms_address_from_string(&addr, "+4915259911630");
 
 	sra = status_report_assembly_new(NULL);
 
@@ -1626,7 +1626,7 @@ static void test_sr_assembly(void)
 	 * Send sms-message in the national address-format,
 	 * but receive in the international address-format.
 	 */
-	sms_address_from_string(&addr, "9911630");
+	__sms_address_from_string(&addr, "9911630");
 	status_report_assembly_add_fragment(sra, sha1, &addr, 4, time(NULL), 2);
 	status_report_assembly_add_fragment(sra, sha1, &addr, 5, time(NULL), 2);
 
@@ -1641,7 +1641,7 @@ static void test_sr_assembly(void)
 	 * Send sms-message in the international address-format,
 	 * but receive in the national address-format.
 	 */
-	sms_address_from_string(&addr, "+358123456789");
+	__sms_address_from_string(&addr, "+358123456789");
 	status_report_assembly_add_fragment(sra, sha1, &addr, 6, time(NULL), 1);
 
 	g_assert(status_report_assembly_report(sra, &sr3, id, &delivered));