From 9c7a7fe29605d3d8bb5c0cfcee21a8f01ab9f4aa Mon Sep 17 00:00:00 2001
From: Denis Kenzior <denkenz@gmail.com>
Date: Thu, 29 Feb 2024 11:18:25 -0600
Subject: [PATCH 1/4] smsutil: ensure the address length in bytes <= 10

If a specially formatted SMS is received, it is conceivable that the
address length might overflow the structure it is being parsed into.
Ensure that the length in bytes of the address never exceeds 10.

CVE: CVE-2023-2794

Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=a90421d8e45d63b304dc010baba24633e7869682]

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
---
 src/smsutil.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/smsutil.c b/src/smsutil.c
index f46507f..d3844f3 100644
--- a/src/smsutil.c
+++ b/src/smsutil.c
@@ -643,7 +643,12 @@ gboolean sms_decode_address_field(const unsigned char *pdu, int len,
	else
		byte_len = (addr_len + 1) / 2;

-	if ((len - *offset) < byte_len)
+	/*
+	 * 23.040:
+	 * The maximum length of the full address field
+	 * (AddressLength, TypeofAddress and AddressValue) is 12 octets.
+	 */
+	if ((len - *offset) < byte_len || byte_len > 10)
		return FALSE;

	out->number_type = bit_field(addr_type, 4, 3);
--
2.40.0