From 5fb8c5b9845e4d551d4f587519e8691098a4f095 Mon Sep 17 00:00:00 2001 From: Michael Zillgith Date: Sat, 28 Oct 2017 13:13:13 +0200 Subject: [PATCH] - MMS: added more length checks in parsers for file services --- src/mms/iso_mms/client/mms_client_files.c | 2 ++ src/mms/iso_mms/common/mms_common_msg.c | 6 +++++- src/mms/iso_mms/server/mms_file_service.c | 8 ++++++-- 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/src/mms/iso_mms/client/mms_client_files.c b/src/mms/iso_mms/client/mms_client_files.c index 19cfed8..1eb7989 100644 --- a/src/mms/iso_mms/client/mms_client_files.c +++ b/src/mms/iso_mms/client/mms_client_files.c @@ -98,6 +98,8 @@ mmsClient_handleFileOpenRequest( if (bufPos < 0) goto exit_reject_invalid_pdu; + if (bufPos + length > maxBufPos) goto exit_reject_invalid_pdu; + switch(tag) { case 0xa0: /* filename */ diff --git a/src/mms/iso_mms/common/mms_common_msg.c b/src/mms/iso_mms/common/mms_common_msg.c index 55da14d..75443e7 100644 --- a/src/mms/iso_mms/common/mms_common_msg.c +++ b/src/mms/iso_mms/common/mms_common_msg.c @@ -377,14 +377,18 @@ mmsMsg_openFile(const char* basepath, char* fileName, bool readWrite) bool mmsMsg_parseFileName(char* filename, uint8_t* buffer, int* bufPos, int maxBufPos , uint32_t invokeId, ByteBuffer* response) { + if (*bufPos == maxBufPos) + return false; + uint8_t tag = buffer[(*bufPos)++]; - int length; if (tag != 0x19) { mmsMsg_createMmsRejectPdu(&invokeId, MMS_ERROR_REJECT_INVALID_PDU, response); return false; } + int length; + *bufPos = BerDecoder_decodeLength(buffer, &length, *bufPos, maxBufPos); if (*bufPos < 0) { diff --git a/src/mms/iso_mms/server/mms_file_service.c b/src/mms/iso_mms/server/mms_file_service.c index 42feced..a9f9b7c 100644 --- a/src/mms/iso_mms/server/mms_file_service.c +++ b/src/mms/iso_mms/server/mms_file_service.c @@ -316,6 +316,8 @@ mmsServer_handleFileOpenRequest( if (bufPos < 0) goto exit_reject_invalid_pdu; + if (bufPos + length > maxBufPos) goto exit_reject_invalid_pdu; + switch(tag) { case 0xa0: /* filename */ @@ -575,6 +577,8 @@ mmsServer_handleObtainFileRequest( if (bufPos < 0) goto exit_reject_invalid_pdu; + if (bufPos + length > maxBufPos) goto exit_reject_invalid_pdu; + switch(tag) { case 0xa1: /* source filename */ @@ -987,7 +991,7 @@ mmsServer_handleFileRenameRequest( bufPos = BerDecoder_decodeLength(buffer, &length, bufPos, maxBufPos); - if (bufPos < 0) { + if ((bufPos < 0) || (bufPos + length > maxBufPos)) { mmsMsg_createMmsRejectPdu(&invokeId, MMS_ERROR_REJECT_INVALID_PDU, response); return; } @@ -1071,7 +1075,7 @@ mmsServer_handleFileDirectoryRequest( bufPos = BerDecoder_decodeLength(buffer, &length, bufPos, maxBufPos); - if (bufPos < 0) { + if ((bufPos < 0) || (bufPos + length > maxBufPos)) { mmsMsg_createMmsRejectPdu(&invokeId, MMS_ERROR_REJECT_INVALID_PDU, response); return; }