From b4c7cefb154dcd8777e62196e2ca5fceb71a2dcb Mon Sep 17 00:00:00 2001 From: Michael Zillgith Date: Mon, 13 Jan 2020 11:48:05 +0100 Subject: [PATCH] - MMS value parser: added plausibility check for bit-string padding value (#200) --- src/mms/iso_mms/server/mms_access_result.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/src/mms/iso_mms/server/mms_access_result.c b/src/mms/iso_mms/server/mms_access_result.c index bdb75114..bb53312e 100644 --- a/src/mms/iso_mms/server/mms_access_result.c +++ b/src/mms/iso_mms/server/mms_access_result.c @@ -155,7 +155,7 @@ MmsValue_decodeMmsData(uint8_t* buffer, int bufPos, int bufferLength, int* endBu { MmsValue* value = NULL; - int dataEndBufPos = bufPos + bufferLength; + int dataEndBufPos = bufferLength; uint8_t tag = buffer[bufPos++]; @@ -192,12 +192,9 @@ MmsValue_decodeMmsData(uint8_t* buffer, int bufPos, int bufferLength, int* endBu if (newBufPos < 0) goto exit_with_error; - if (newBufPos + elementLength > dataEndBufPos) - goto exit_with_error; - int elementBufLength = newBufPos - bufPos + elementLength; - MmsValue* elementValue = MmsValue_decodeMmsData(buffer, bufPos, elementBufLength, NULL); + MmsValue* elementValue = MmsValue_decodeMmsData(buffer, bufPos, bufPos + elementBufLength, NULL); if (elementValue == NULL) goto exit_with_error; @@ -226,6 +223,10 @@ MmsValue_decodeMmsData(uint8_t* buffer, int bufPos, int bufferLength, int* endBu case 0x84: /* MMS_BIT_STRING */ { int padding = buffer[bufPos]; + + if (padding > 7) + goto exit_with_error; + int bitStringLength = (8 * (dataLength - 1)) - padding; value = MmsValue_newBitString(bitStringLength); memcpy(value->value.bitString.buf, buffer + bufPos + 1, dataLength - 1);