From 230dd0056e250e63357d43bcbf9dac6b6ec1ea13 Mon Sep 17 00:00:00 2001 From: Sooyoung Ha Date: Mon, 21 Jan 2013 23:31:30 +0900 Subject: [PATCH] [Title] fix the tainted value as argument. (various) [Desc.] make the values clearly. --- packaging/vmodemd-emul.spec | 2 +- vmodem/server/client.c | 12 +++++++++--- vmodem/server/misc.c | 9 ++++++++- vmodem/server/server_tx_call.c | 9 +++++++-- vmodem/server/server_tx_network.c | 12 ++++++++---- 5 files changed, 33 insertions(+), 11 deletions(-) diff --git a/packaging/vmodemd-emul.spec b/packaging/vmodemd-emul.spec index 9cf6f8e..ea48033 100644 --- a/packaging/vmodemd-emul.spec +++ b/packaging/vmodemd-emul.spec @@ -1,6 +1,6 @@ #git:slp/pkgs/v/vmodem-daemon-emulator Name: vmodemd-emul -Version: 0.2.36 +Version: 0.2.37 Release: 1 Summary: Modem Emulator Group: System/ModemEmulator diff --git a/vmodem/server/client.c b/vmodem/server/client.c index 1701b3a..a989cf0 100644 --- a/vmodem/server/client.c +++ b/vmodem/server/client.c @@ -423,6 +423,10 @@ static void preprocess_do_gprs(LXT_MESSAGE * packet) } num = *((int *)p); + if(num < 0 || num > (254 * sizeof(int)) ) { + TRACE(MSGL_VGSM_INFO, "ERROR!! Invalid value of packet.data.\n"); + return; + } pos = p + sizeof(int); @@ -1164,6 +1168,8 @@ static void do_internal(PhoneServer * ps, TClientInfo * ci, LXT_MESSAGE * packet int clientid; clientid = (int)packed_S32((unsigned char *)p); + if(clientid == 0) + TRACE(MSGL_VGSM_INFO, "ERROR!! Invalid value of clientid.\n"); ci->klass = clientid; TRACE(MSGL_VGSM_INFO, "LXT_PDA_INTERNAL_ID_REQUEST [0x%x]: %s\n", clientid, clientName[clientid]); @@ -1446,7 +1452,7 @@ static int client_callback(PhoneServer * ps, int fd, EloopCondition cond, void * //int klass = ci->klass; int clientfd = ci->fd; - unsigned char * p = 0; + //unsigned char * p = 0; TAPIMessageInit(&packet); @@ -1467,7 +1473,7 @@ static int client_callback(PhoneServer * ps, int fd, EloopCondition cond, void * { packet.data = (unsigned char *) PacketDataMalloc(packet.length + 1); rc = ReadBytes(clientfd, packet.data, packet.length); - p = (unsigned char *)packet.data; + //p = (unsigned char *)packet.data; } group = packet.group; @@ -1520,7 +1526,7 @@ static int client_callback(PhoneServer * ps, int fd, EloopCondition cond, void * do_emulator(ps, ci, &packet); break; case GSM_GPRS : - do_gprs(ps, ci, &packet); + do_gprs(ps, ci, &packet); break; case GSM_POWER : do_power(ps, ci, &packet); diff --git a/vmodem/server/misc.c b/vmodem/server/misc.c index 6924036..e6f7544 100644 --- a/vmodem/server/misc.c +++ b/vmodem/server/misc.c @@ -159,7 +159,14 @@ int packed_S32(unsigned char* bytearray) if (!p) return 0; - for(i = sizeof(int); i >= 0; i--) rc = rc | p[i] << i*8; + for(i = sizeof(int); i >= 0; i--) { + if(p[i] < 0 || p[i] > 255){ + return 0; + } + else{ + rc = rc | p[i] << i*8; + } + } return rc; } diff --git a/vmodem/server/server_tx_call.c b/vmodem/server/server_tx_call.c index bcbf1fc..fde4a55 100644 --- a/vmodem/server/server_tx_call.c +++ b/vmodem/server/server_tx_call.c @@ -350,7 +350,7 @@ static void cast_call_incomming(unsigned char call_id) int server_tx_call_incoming_noti( LXT_MESSAGE * packet ) //¸ÁÀÔÀå¿¡¼± outgoing call. { - int num_len = 0, ret = 0; + int num_len = 0, ret = 0, tmp = 0; char number[MAX_GSM_DIALED_DIGITS_NUMBER]; char *p, data[8 + MAX_GSM_DIALED_DIGITS_NUMBER]; unsigned char ss_present_indi ; @@ -411,7 +411,12 @@ int server_tx_call_incoming_noti( LXT_MESSAGE * packet ) // } else { - num_len = p[3]; + tmp = (int)p[3]; + if(tmp < 0 || tmp > 254){ + TRACE(MSGL_VGSM_INFO, "ERROR!! Invalid value of packet.data.\n"); + return -1; + } + num_len = tmp; memcpy(number, &p[7], num_len); log_msg(MSGL_VGSM_INFO," call num len %d \n", num_len); ss_present_indi = 0; diff --git a/vmodem/server/server_tx_network.c b/vmodem/server/server_tx_network.c index 306a8a9..64a2682 100644 --- a/vmodem/server/server_tx_network.c +++ b/vmodem/server/server_tx_network.c @@ -48,15 +48,19 @@ int server_tx_net_plmn_list_noti(LXT_MESSAGE const* packet) VGSM_DEBUG("\n"); unsigned char *data = 0; - int ret = 0, len = 0; + int ret = 0, len = 0, tmp; unsigned char *ptr = (unsigned char *)packet->data; int i = 0; - len = 1+(ptr[0]*8); - data = malloc(sizeof(unsigned char)*len); - if(!data) + tmp = (int)ptr[0]; + if(tmp < 0 || tmp > 254){ + TRACE(MSGL_VGSM_INFO, "ERROR!! Invalid value of packet.data.\n"); return -1; + } + + len = 1 + (tmp * 8); + data = malloc(sizeof(unsigned char)*len); for(i=0; i