2 files changed, 89 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/ofono/ofono/CVE-2024-7539.patch b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7539.patch
new file mode 100644
index 0000000000..e41596959b
--- /dev/null
+++ b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7539.patch
@@ -0,0 +1,88 @@
+From 389e2344f86319265fb72ae590b470716e038fdc Mon Sep 17 00:00:00 2001
+From: Sicelo A. Mhlongo <absicsz@gmail.com>
+Date: Tue, 17 Dec 2024 11:31:29 +0200
+Subject: [PATCH] ussd: ensure ussd content fits in buffers
+Fixes: CVE-2024-7539
+CVE: CVE-2024-7539
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=389e2344f86319265fb72ae590b470716e038fdc]
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ drivers/atmodem/ussd.c      | 5 ++++-
+ drivers/huaweimodem/ussd.c  | 5 ++++-
+ drivers/speedupmodem/ussd.c | 5 ++++-
+ 3 files changed, 12 insertions(+), 3 deletions(-)
+diff --git a/drivers/atmodem/ussd.c b/drivers/atmodem/ussd.c
+index 32a9fe9..99da559 100644
+--- a/drivers/atmodem/ussd.c
+++ b/drivers/atmodem/ussd.c
+@@ -93,7 +93,7 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
+        const char *content;
+        int dcs;
+        enum sms_charset charset;
+-       unsigned char msg[160];
+       unsigned char msg[160] = {0};
+        const unsigned char *msg_ptr = NULL;
+        long msg_len;
+@@ -113,6 +113,9 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
+        if (!g_at_result_iter_next_number(&iter, &dcs))
+                dcs = 0;
+       if (strlen(content) > sizeof(msg) * 2)
+               goto out;
+
+        if (!cbs_dcs_decode(dcs, NULL, NULL, &charset, NULL, NULL, NULL)) {
+                ofono_error("Unsupported USSD data coding scheme (%02x)", dcs);
+                status = 4; /* Not supported */
+diff --git a/drivers/huaweimodem/ussd.c b/drivers/huaweimodem/ussd.c
+index 5e1c907..3d165c8 100644
+--- a/drivers/huaweimodem/ussd.c
+++ b/drivers/huaweimodem/ussd.c
+@@ -38,7 +38,7 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
+        int status;
+        int dcs = 0;
+        const char *content;
+-       unsigned char msg[160];
+       unsigned char msg[160] = {0};
+        const unsigned char *msg_ptr = NULL;
+        long msg_len;
+@@ -55,6 +55,9 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
+        g_at_result_iter_next_number(&iter, &dcs);
+       if (strlen(content) > sizeof(msg) * 2)
+               goto out;
+
+        msg_ptr = decode_hex_own_buf(content, -1, &msg_len, 0, msg);
+ out:
+diff --git a/drivers/speedupmodem/ussd.c b/drivers/speedupmodem/ussd.c
+index aafa4bc..a5efde0 100644
+--- a/drivers/speedupmodem/ussd.c
+++ b/drivers/speedupmodem/ussd.c
+@@ -37,7 +37,7 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
+        int status;
+        int dcs = 0;
+        const char *content;
+-       unsigned char msg[160];
+       unsigned char msg[160] = {0};
+        const unsigned char *msg_ptr = NULL;
+        long msg_len;
+@@ -54,6 +54,9 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
+        g_at_result_iter_next_number(&iter, &dcs);
+       if (strlen(content) > sizeof(msg) * 2)
+               goto out;
+
+        msg_ptr = decode_hex_own_buf(content, -1, &msg_len, 0, msg);
+ out:
+--
+2.40.0
diff --git a/meta/recipes-connectivity/ofono/ofono_2.14.bb b/meta/recipes-connectivity/ofono/ofono_2.14.bb
index 5d11d6cb45..34e919ef5a 100644
--- a/meta/recipes-connectivity/ofono/ofono_2.14.bb
+++ b/meta/recipes-connectivity/ofono/ofono_2.14.bb
@@ -11,6 +11,7 @@ SRC_URI = "\
    ${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
    file://rmnet.patch \
    file://ofono \
+    file://CVE-2024-7539.patch \
 "
 SRC_URI[sha256sum] = "983cbfd5e1e1a410ba7ad2db7f50fadc91e50b29f1ede40cdc73f941da7ba95f"

diff --git a/meta/recipes-connectivity/ofono/ofono/CVE-2024-7539.patch b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7539.patch new file mode 100644 index 0000000000..e41596959b --- /dev/null +++ b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7539.patch
@@ -0,0 +1,88 @@
		1	From 389e2344f86319265fb72ae590b470716e038fdc Mon Sep 17 00:00:00 2001
		2	From: Sicelo A. Mhlongo <absicsz@gmail.com>
		3	Date: Tue, 17 Dec 2024 11:31:29 +0200
		4	Subject: [PATCH] ussd: ensure ussd content fits in buffers
		5
		6	Fixes: CVE-2024-7539
		7
		8	CVE: CVE-2024-7539
		9	Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=389e2344f86319265fb72ae590b470716e038fdc]
		10
		11	Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
		12	---
		13	drivers/atmodem/ussd.c \| 5 ++++-
		14	drivers/huaweimodem/ussd.c \| 5 ++++-
		15	drivers/speedupmodem/ussd.c \| 5 ++++-
		16	3 files changed, 12 insertions(+), 3 deletions(-)
		17
		18	diff --git a/drivers/atmodem/ussd.c b/drivers/atmodem/ussd.c
		19	index 32a9fe9..99da559 100644
		20	--- a/drivers/atmodem/ussd.c
		21	+++ b/drivers/atmodem/ussd.c
		22	@@ -93,7 +93,7 @@ static void cusd_parse(GAtResult result, struct ofono_ussd ussd)
		23	const char *content;
		24	int dcs;
		25	enum sms_charset charset;
		26	- unsigned char msg[160];
		27	+ unsigned char msg[160] = {0};
		28	const unsigned char *msg_ptr = NULL;
		29	long msg_len;
		30
		31	@@ -113,6 +113,9 @@ static void cusd_parse(GAtResult result, struct ofono_ussd ussd)
		32	if (!g_at_result_iter_next_number(&iter, &dcs))
		33	dcs = 0;
		34
		35	+ if (strlen(content) > sizeof(msg) * 2)
		36	+ goto out;
		37	+
		38	if (!cbs_dcs_decode(dcs, NULL, NULL, &charset, NULL, NULL, NULL)) {
		39	ofono_error("Unsupported USSD data coding scheme (%02x)", dcs);
		40	status = 4; /* Not supported */
		41	diff --git a/drivers/huaweimodem/ussd.c b/drivers/huaweimodem/ussd.c
		42	index 5e1c907..3d165c8 100644
		43	--- a/drivers/huaweimodem/ussd.c
		44	+++ b/drivers/huaweimodem/ussd.c
		45	@@ -38,7 +38,7 @@ static void cusd_parse(GAtResult result, struct ofono_ussd ussd)
		46	int status;
		47	int dcs = 0;
		48	const char *content;
		49	- unsigned char msg[160];
		50	+ unsigned char msg[160] = {0};
		51	const unsigned char *msg_ptr = NULL;
		52	long msg_len;
		53
		54	@@ -55,6 +55,9 @@ static void cusd_parse(GAtResult result, struct ofono_ussd ussd)
		55
		56	g_at_result_iter_next_number(&iter, &dcs);
		57
		58	+ if (strlen(content) > sizeof(msg) * 2)
		59	+ goto out;
		60	+
		61	msg_ptr = decode_hex_own_buf(content, -1, &msg_len, 0, msg);
		62
		63	out:
		64	diff --git a/drivers/speedupmodem/ussd.c b/drivers/speedupmodem/ussd.c
		65	index aafa4bc..a5efde0 100644
		66	--- a/drivers/speedupmodem/ussd.c
		67	+++ b/drivers/speedupmodem/ussd.c
		68	@@ -37,7 +37,7 @@ static void cusd_parse(GAtResult result, struct ofono_ussd ussd)
		69	int status;
		70	int dcs = 0;
		71	const char *content;
		72	- unsigned char msg[160];
		73	+ unsigned char msg[160] = {0};
		74	const unsigned char *msg_ptr = NULL;
		75	long msg_len;
		76
		77	@@ -54,6 +54,9 @@ static void cusd_parse(GAtResult result, struct ofono_ussd ussd)
		78
		79	g_at_result_iter_next_number(&iter, &dcs);
		80
		81	+ if (strlen(content) > sizeof(msg) * 2)
		82	+ goto out;
		83	+
		84	msg_ptr = decode_hex_own_buf(content, -1, &msg_len, 0, msg);
		85
		86	out:
		87	--
		88	2.40.0


diff --git a/meta/recipes-connectivity/ofono/ofono_2.14.bb b/meta/recipes-connectivity/ofono/ofono_2.14.bb index 5d11d6cb45..34e919ef5a 100644 --- a/meta/recipes-connectivity/ofono/ofono_2.14.bb +++ b/meta/recipes-connectivity/ofono/ofono_2.14.bb
@@ -11,6 +11,7 @@ SRC_URI = "\
11	${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \	11	${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
12	file://rmnet.patch \	12	file://rmnet.patch \
13	file://ofono \	13	file://ofono \
		14	file://CVE-2024-7539.patch \
14	"	15	"
15	SRC_URI[sha256sum] = "983cbfd5e1e1a410ba7ad2db7f50fadc91e50b29f1ede40cdc73f941da7ba95f"	16	SRC_URI[sha256sum] = "983cbfd5e1e1a410ba7ad2db7f50fadc91e50b29f1ede40cdc73f941da7ba95f"
16		17