summaryrefslogtreecommitdiffstats
path: root/meta/recipes-connectivity/ofono
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-connectivity/ofono')
-rw-r--r--meta/recipes-connectivity/ofono/ofono/CVE-2024-7539.patch88
-rw-r--r--meta/recipes-connectivity/ofono/ofono_2.14.bb1
2 files changed, 89 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/ofono/ofono/CVE-2024-7539.patch b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7539.patch
new file mode 100644
index 0000000000..e41596959b
--- /dev/null
+++ b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7539.patch
@@ -0,0 +1,88 @@
1From 389e2344f86319265fb72ae590b470716e038fdc Mon Sep 17 00:00:00 2001
2From: Sicelo A. Mhlongo <absicsz@gmail.com>
3Date: Tue, 17 Dec 2024 11:31:29 +0200
4Subject: [PATCH] ussd: ensure ussd content fits in buffers
5
6Fixes: CVE-2024-7539
7
8CVE: CVE-2024-7539
9Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=389e2344f86319265fb72ae590b470716e038fdc]
10
11Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
12---
13 drivers/atmodem/ussd.c | 5 ++++-
14 drivers/huaweimodem/ussd.c | 5 ++++-
15 drivers/speedupmodem/ussd.c | 5 ++++-
16 3 files changed, 12 insertions(+), 3 deletions(-)
17
18diff --git a/drivers/atmodem/ussd.c b/drivers/atmodem/ussd.c
19index 32a9fe9..99da559 100644
20--- a/drivers/atmodem/ussd.c
21+++ b/drivers/atmodem/ussd.c
22@@ -93,7 +93,7 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
23 const char *content;
24 int dcs;
25 enum sms_charset charset;
26- unsigned char msg[160];
27+ unsigned char msg[160] = {0};
28 const unsigned char *msg_ptr = NULL;
29 long msg_len;
30
31@@ -113,6 +113,9 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
32 if (!g_at_result_iter_next_number(&iter, &dcs))
33 dcs = 0;
34
35+ if (strlen(content) > sizeof(msg) * 2)
36+ goto out;
37+
38 if (!cbs_dcs_decode(dcs, NULL, NULL, &charset, NULL, NULL, NULL)) {
39 ofono_error("Unsupported USSD data coding scheme (%02x)", dcs);
40 status = 4; /* Not supported */
41diff --git a/drivers/huaweimodem/ussd.c b/drivers/huaweimodem/ussd.c
42index 5e1c907..3d165c8 100644
43--- a/drivers/huaweimodem/ussd.c
44+++ b/drivers/huaweimodem/ussd.c
45@@ -38,7 +38,7 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
46 int status;
47 int dcs = 0;
48 const char *content;
49- unsigned char msg[160];
50+ unsigned char msg[160] = {0};
51 const unsigned char *msg_ptr = NULL;
52 long msg_len;
53
54@@ -55,6 +55,9 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
55
56 g_at_result_iter_next_number(&iter, &dcs);
57
58+ if (strlen(content) > sizeof(msg) * 2)
59+ goto out;
60+
61 msg_ptr = decode_hex_own_buf(content, -1, &msg_len, 0, msg);
62
63 out:
64diff --git a/drivers/speedupmodem/ussd.c b/drivers/speedupmodem/ussd.c
65index aafa4bc..a5efde0 100644
66--- a/drivers/speedupmodem/ussd.c
67+++ b/drivers/speedupmodem/ussd.c
68@@ -37,7 +37,7 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
69 int status;
70 int dcs = 0;
71 const char *content;
72- unsigned char msg[160];
73+ unsigned char msg[160] = {0};
74 const unsigned char *msg_ptr = NULL;
75 long msg_len;
76
77@@ -54,6 +54,9 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
78
79 g_at_result_iter_next_number(&iter, &dcs);
80
81+ if (strlen(content) > sizeof(msg) * 2)
82+ goto out;
83+
84 msg_ptr = decode_hex_own_buf(content, -1, &msg_len, 0, msg);
85
86 out:
87--
882.40.0
diff --git a/meta/recipes-connectivity/ofono/ofono_2.14.bb b/meta/recipes-connectivity/ofono/ofono_2.14.bb
index 5d11d6cb45..34e919ef5a 100644
--- a/meta/recipes-connectivity/ofono/ofono_2.14.bb
+++ b/meta/recipes-connectivity/ofono/ofono_2.14.bb
@@ -11,6 +11,7 @@ SRC_URI = "\
11 ${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \ 11 ${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
12 file://rmnet.patch \ 12 file://rmnet.patch \
13 file://ofono \ 13 file://ofono \
14 file://CVE-2024-7539.patch \
14" 15"
15SRC_URI[sha256sum] = "983cbfd5e1e1a410ba7ad2db7f50fadc91e50b29f1ede40cdc73f941da7ba95f" 16SRC_URI[sha256sum] = "983cbfd5e1e1a410ba7ad2db7f50fadc91e50b29f1ede40cdc73f941da7ba95f"
16 17
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-05-11 05:20:42 +0000