From: Guillaume Zajac <guillaume.zajac@linux.intel.com>
Date: Mon, 3 Jun 2013 10:30:00 +0000 (+0200)
Subject: Fix crash when TPDU or SCA is corrupted
X-Git-Tag: accepted/tizen/ivi/genivi/20140131.061142~7
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=refs%2Fchanges%2F61%2F8461%2F1;p=platform%2Fcore%2Ftelephony%2Ftel-plugin-dbus_tapi.git

Fix crash when TPDU or SCA is corrupted
---

diff --git a/src/sms.c b/src/sms.c
index 5d58da8..91fecd2 100644
--- a/src/sms.c
+++ b/src/sms.c
@@ -64,8 +64,15 @@ on_sms_send_msg(TelephonySms *sms, GDBusMethodInvocation *invocation,
 	memset(&sendUmtsMsg, 0 , sizeof(struct treq_sms_send_umts_msg));
 
 	decoded_buff = g_base64_decode(sca, &length);
+<<<<<<< HEAD
 	if (length > SMS_ENCODED_SCA_LEN_MAX)
 		goto invalid_param;
+=======
+	if ((length > SMS_ENCODED_SCA_LEN_MAX)
+			|| (decoded_buff[0] > SMS_SMSP_ADDRESS_LEN))
+		goto invalid_param;
+
+>>>>>>> Fix crash when TPDU or SCA is corrupted
 	memcpy(&(sendUmtsMsg.msgDataPackage.sca[0]), decoded_buff, length);
 	g_free(decoded_buff);
 
@@ -73,7 +80,11 @@ on_sms_send_msg(TelephonySms *sms, GDBusMethodInvocation *invocation,
 	dbg("tpdu_length = 0x%x", tpdu_length);
 
 	decoded_buff = g_base64_decode(tpdu_data, &length);
+<<<<<<< HEAD
 	if (length > SMS_SMDATA_SIZE_MAX + 1)
+=======
+	if (length > SMS_SMDATA_SIZE_MAX + 1 || ((gsize)tpdu_length != length))
+>>>>>>> Fix crash when TPDU or SCA is corrupted
 		goto invalid_param;
 	memcpy(&(sendUmtsMsg.msgDataPackage.tpduData[0]), decoded_buff, length);
 	g_free(decoded_buff);