diff options
| author | Vadim Yanitskiy <axilirator@gmail.com> | 2019-03-31 18:10:18 +0700 |
|---|---|---|
| committer | laforge <laforge@gnumonks.org> | 2019-06-06 19:45:20 +0000 |
| commit | ad585d8895e6909002195f4cf9fb9368e83b8168 (patch) | |
| tree | 1707d3f8364c59d05b08c03fc3083725bec9635d /src/libmsc | |
| parent | 4474f357709b4b08ff22b74ad37bc5e6286bea3c (diff) | |
libmsc/db.c: fix potential integer overflow
The value of 'sms->user_data_len' is fetched from the database:
sms->user_data_len = dbi_result_get_field_length(result, "user_data");
and this is where the problem is. As per the libdbi's documentation
(see 3.5.3), dbi_result_get_field_length() returns the length in
bytes of the value stored in the specified field:
unsigned int dbi_result_get_field_length(dbi_result Result,
const char *fieldname)
so 'unsigned int' is assigned to 'uint8_t', what could lead to an
integer overflow if the value is grather than 0xff. As a result,
if the database for some reason does contain such odd TP-UD,
the truncation of 'user_data' would be done incorrectly.
Let's avoid such direct assignment, and use a separate variable.
Also, let's warn user if TP-UDL value is grether than 140, as
per 3GPP TS 03.40.
Change-Id: Ibbd588545e1a4817504c806a3d02cf59d5938ee2
Related: OS#3684
Diffstat (limited to 'src/libmsc')
| -rw-r--r-- | src/libmsc/db.c | 36 |
1 files changed, 27 insertions, 9 deletions
diff --git a/src/libmsc/db.c b/src/libmsc/db.c index e3995a643..1fe8e6b23 100644 --- a/src/libmsc/db.c +++ b/src/libmsc/db.c @@ -236,6 +236,7 @@ static struct gsm_sms *sms_from_result_v3(dbi_result result) long long unsigned int sender_id; const char *text, *daddr; const unsigned char *user_data; + unsigned int user_data_len; char buf[32]; char *quoted; dbi_result result2; @@ -273,10 +274,15 @@ static struct gsm_sms *sms_from_result_v3(dbi_result result) if (daddr) OSMO_STRLCPY_ARRAY(sms->dst.addr, daddr); - sms->user_data_len = dbi_result_get_field_length(result, "user_data"); + user_data_len = dbi_result_get_field_length(result, "user_data"); user_data = dbi_result_get_binary(result, "user_data"); - if (sms->user_data_len > sizeof(sms->user_data)) - sms->user_data_len = (uint8_t) sizeof(sms->user_data); + if (user_data_len > sizeof(sms->user_data)) { + LOGP(DDB, LOGL_ERROR, + "SMS TP-UD length %u is too big, truncating to %zu\n", + user_data_len, sizeof(sms->user_data)); + user_data_len = (uint8_t) sizeof(sms->user_data); + } + sms->user_data_len = user_data_len; memcpy(sms->user_data, user_data, sms->user_data_len); text = dbi_result_get_string(result, "text"); @@ -395,6 +401,7 @@ static struct gsm_sms *sms_from_result_v4(dbi_result result) { struct gsm_sms *sms = sms_alloc(); const unsigned char *user_data; + unsigned int user_data_len; const char *text, *addr; if (!sms) @@ -419,10 +426,15 @@ static struct gsm_sms *sms_from_result_v4(dbi_result result) sms->dst.ton = dbi_result_get_ulonglong(result, "dest_ton"); sms->dst.npi = dbi_result_get_ulonglong(result, "dest_npi"); - sms->user_data_len = dbi_result_get_field_length(result, "user_data"); + user_data_len = dbi_result_get_field_length(result, "user_data"); user_data = dbi_result_get_binary(result, "user_data"); - if (sms->user_data_len > sizeof(sms->user_data)) - sms->user_data_len = (uint8_t) sizeof(sms->user_data); + if (user_data_len > sizeof(sms->user_data)) { + LOGP(DDB, LOGL_ERROR, + "SMS TP-UD length %u is too big, truncating to %zu\n", + user_data_len, sizeof(sms->user_data)); + user_data_len = (uint8_t) sizeof(sms->user_data); + } + sms->user_data_len = user_data_len; memcpy(sms->user_data, user_data, sms->user_data_len); text = dbi_result_get_string(result, "text"); @@ -753,6 +765,7 @@ static struct gsm_sms *sms_from_result(struct gsm_network *net, dbi_result resul struct gsm_sms *sms = sms_alloc(); const char *text, *daddr, *saddr; const unsigned char *user_data; + unsigned int user_data_len; time_t validity_timestamp; if (!sms) @@ -789,10 +802,15 @@ static struct gsm_sms *sms_from_result(struct gsm_network *net, dbi_result resul if (saddr) OSMO_STRLCPY_ARRAY(sms->src.addr, saddr); - sms->user_data_len = dbi_result_get_field_length(result, "user_data"); + user_data_len = dbi_result_get_field_length(result, "user_data"); user_data = dbi_result_get_binary(result, "user_data"); - if (sms->user_data_len > sizeof(sms->user_data)) - sms->user_data_len = (uint8_t) sizeof(sms->user_data); + if (user_data_len > sizeof(sms->user_data)) { + LOGP(DDB, LOGL_ERROR, + "SMS TP-UD length %u is too big, truncating to %zu\n", + user_data_len, sizeof(sms->user_data)); + user_data_len = (uint8_t) sizeof(sms->user_data); + } + sms->user_data_len = user_data_len; if (user_data) memcpy(sms->user_data, user_data, sms->user_data_len); |