From 389e2344f86319265fb72ae590b470716e038fdc Mon Sep 17 00:00:00 2001 From: "Sicelo A. Mhlongo" Date: Tue, 17 Dec 2024 11:31:29 +0200 Subject: [PATCH] ussd: ensure ussd content fits in buffers Fixes: CVE-2024-7539 CVE: CVE-2024-7539 Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=389e2344f86319265fb72ae590b470716e038fdc] Signed-off-by: Yogita Urade --- drivers/atmodem/ussd.c | 5 ++++- drivers/huaweimodem/ussd.c | 5 ++++- drivers/speedupmodem/ussd.c | 5 ++++- 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/drivers/atmodem/ussd.c b/drivers/atmodem/ussd.c index 3be1832..29f86dc 100644 --- a/drivers/atmodem/ussd.c +++ b/drivers/atmodem/ussd.c @@ -106,7 +106,7 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd) const char *content; int dcs; enum sms_charset charset; - unsigned char msg[160]; + unsigned char msg[160] = {0}; const unsigned char *msg_ptr = NULL; long msg_len; @@ -124,6 +124,9 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd) if (!g_at_result_iter_next_number(&iter, &dcs)) dcs = 0; + if (strlen(content) > sizeof(msg) * 2) + goto out; + if (!cbs_dcs_decode(dcs, NULL, NULL, &charset, NULL, NULL, NULL)) { ofono_error("Unsupported USSD data coding scheme (%02x)", dcs); status = 4; /* Not supported */ diff --git a/drivers/huaweimodem/ussd.c b/drivers/huaweimodem/ussd.c index fbed3cd..4160b7d 100644 --- a/drivers/huaweimodem/ussd.c +++ b/drivers/huaweimodem/ussd.c @@ -50,7 +50,7 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd) GAtResultIter iter; int status, dcs; const char *content; - unsigned char msg[160]; + unsigned char msg[160] = {0}; const unsigned char *msg_ptr = NULL; long msg_len; @@ -68,6 +68,9 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd) if (!g_at_result_iter_next_number(&iter, &dcs)) dcs = 0; + if (strlen(content) > sizeof(msg) * 2) + goto out; + msg_ptr = decode_hex_own_buf(content, -1, &msg_len, 0, msg); out: diff --git a/drivers/speedupmodem/ussd.c b/drivers/speedupmodem/ussd.c index 57b91d7..99af19a 100644 --- a/drivers/speedupmodem/ussd.c +++ b/drivers/speedupmodem/ussd.c @@ -49,7 +49,7 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd) GAtResultIter iter; int status, dcs; const char *content; - unsigned char msg[160]; + unsigned char msg[160] = {0}; const unsigned char *msg_ptr = NULL; long msg_len; @@ -67,6 +67,9 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd) if (!g_at_result_iter_next_number(&iter, &dcs)) dcs = 0; + if (strlen(content) > sizeof(msg) * 2) + goto out; + msg_ptr = decode_hex_own_buf(content, -1, &msg_len, 0, msg); out: -- 2.40.0