From a90421d8e45d63b304dc010baba24633e7869682 Mon Sep 17 00:00:00 2001
From: Denis Kenzior <denkenz@gmail.com>
Date: Mon, 5 Aug 2024 19:50:04 +0800
Subject: [PATCH] smsutil: ensure the address length in bytes <= 10

If a specially formatted SMS is received, it is conceivable that the
address length might overflow the structure it is being parsed into.
Ensure that the length in bytes of the address never exceeds 10.

CVE: CVE-2023-2794
Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=a90421d8e45d63b304dc010baba24633e7869682]

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
---
 src/smsutil.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/smsutil.c b/src/smsutil.c
index 8dd2126..d8170d1 100644
--- a/src/smsutil.c
+++ b/src/smsutil.c
@@ -643,7 +643,12 @@ gboolean sms_decode_address_field(const unsigned char *pdu, int len,
	else
		byte_len = (addr_len + 1) / 2;

-	if ((len - *offset) < byte_len)
+	/*
+	 * 23.040:
+	 * The maximum length of the full address field
+	 * (AddressLength, TypeofAddress and AddressValue) is 12 octets.
+	 */
+	if ((len - *offset) < byte_len || byte_len > 10)
		return FALSE;

	out->number_type = bit_field(addr_type, 4, 3);
--
2.25.1