mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-05-08 05:09:24 +00:00
Code Issues Projects Releases Wiki Activity

ofono: fix CVE-2023-4234

Browse Source 
A flaw was found in ofono, an Open Source Telephony on Linux. A stack overflow bug
is triggered within the decode_submit_report() function during the SMS decoding.
It is assumed that the attack scenario is accessible from a compromised modem,
a malicious base station, or just SMS. There is a bound check for this memcpy
length in decode_submit(), but it was forgotten in decode_submit_report().

(From OE-Core rev: 51cf006ac7b5b97e65864fb1cb6f5b47192c4ebf)

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Archana Polampalli
2024-05-03 11:41:52 +00:00
committed by Steve Sakoman
parent 2b21c6009a
commit 88287ba521
2 changed files with 40 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta/recipes-connectivity/ofono/ofono/CVE-2023-4234.patch
+39
View File
@@ -0,0 +1,39 @@
From 8d74bc66146ea78620d140640a0a57af86fc8936 Mon Sep 17 00:00:00 2001
From: Denis Grigorev <d.grigorev@omp.ru>
Date: Thu, 21 Dec 2023 17:16:38 +0300
Subject: [PATCH] smsutil: Check that submit report fits in memory
This addresses CVE-2023-4234.
CVE: CVE-2023-4234.
Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=8d74bc66146ea786]
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
---
src/smsutil.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/smsutil.c b/src/smsutil.c
index 8e57a06..5a12708 100644
--- a/src/smsutil.c
+++ b/src/smsutil.c
@@ -938,10 +938,16 @@ static gboolean decode_submit_report(const unsigned char *pdu, int len,
return FALSE;
if (out->type == SMS_TYPE_SUBMIT_REPORT_ERROR) {
+ if (expected > (int) sizeof(out->submit_err_report.ud))
+ return FALSE;
+
out->submit_err_report.udl = udl;
memcpy(out->submit_err_report.ud,
pdu + offset, expected);
} else {
+ if (expected > (int) sizeof(out->submit_ack_report.ud))
+ return FALSE;
+
out->submit_ack_report.udl = udl;
memcpy(out->submit_ack_report.ud,
pdu + offset, expected);
--
2.40.0
meta/recipes-connectivity/ofono/ofono_1.34.bb
+1
View File
@@ -12,6 +12,7 @@ SRC_URI = "\
file://ofono \
file://0001-mbim-add-an-optional-TEMP_FAILURE_RETRY-macro-copy.patch \
file://0002-mbim-Fix-build-with-ell-0.39-by-restoring-unlikely-m.patch \
file://CVE-2023-4234.patch \
"
SRC_URI[sha256sum] = "c0b96d3013447ec2bcb74579bef90e4e59c68dbfa4b9c6fbce5d12401a43aac7"