From 389e2344f86319265fb72ae590b470716e038fdc Mon Sep 17 00:00:00 2001 From: "Sicelo A. Mhlongo" Date: Tue, 17 Dec 2024 11:31:29 +0200 Subject: [PATCH] ussd: ensure ussd content fits in buffers Fixes: CVE-2024-7539 CVE: CVE-2024-7539 Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=389e2344f86319265fb72ae590b470716e038fdc] Signed-off-by: Hitendra Prajapati --- drivers/atmodem/ussd.c | 5 ++++- drivers/huaweimodem/ussd.c | 5 ++++- drivers/speedupmodem/ussd.c | 5 ++++- 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/drivers/atmodem/ussd.c b/drivers/atmodem/ussd.c index aaf47b2..cee9bc5 100644 --- a/drivers/atmodem/ussd.c +++ b/drivers/atmodem/ussd.c @@ -107,7 +107,7 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd) const char *content; int dcs; enum sms_charset charset; - unsigned char msg[160]; + unsigned char msg[160] = {0}; const unsigned char *msg_ptr = NULL; long msg_len; @@ -127,6 +127,9 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd) if (!g_at_result_iter_next_number(&iter, &dcs)) dcs = 0; + if (strlen(content) > sizeof(msg) * 2) + goto out; + if (!cbs_dcs_decode(dcs, NULL, NULL, &charset, NULL, NULL, NULL)) { ofono_error("Unsupported USSD data coding scheme (%02x)", dcs); status = 4; /* Not supported */ diff --git a/drivers/huaweimodem/ussd.c b/drivers/huaweimodem/ussd.c index ffb9b2a..cfdb4ee 100644 --- a/drivers/huaweimodem/ussd.c +++ b/drivers/huaweimodem/ussd.c @@ -52,7 +52,7 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd) int status; int dcs = 0; const char *content; - unsigned char msg[160]; + unsigned char msg[160] = {0}; const unsigned char *msg_ptr = NULL; long msg_len; @@ -69,6 +69,9 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd) g_at_result_iter_next_number(&iter, &dcs); + if (strlen(content) > sizeof(msg) * 2) + goto out; + msg_ptr = decode_hex_own_buf(content, -1, &msg_len, 0, msg); out: diff --git a/drivers/speedupmodem/ussd.c b/drivers/speedupmodem/ussd.c index 44da8ed..33441c6 100644 --- a/drivers/speedupmodem/ussd.c +++ b/drivers/speedupmodem/ussd.c @@ -51,7 +51,7 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd) int status; int dcs = 0; const char *content; - unsigned char msg[160]; + unsigned char msg[160] = {0}; const unsigned char *msg_ptr = NULL; long msg_len; @@ -68,6 +68,9 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd) g_at_result_iter_next_number(&iter, &dcs); + if (strlen(content) > sizeof(msg) * 2) + goto out; + msg_ptr = decode_hex_own_buf(content, -1, &msg_len, 0, msg); out: -- 2.25.1