From a16857296827151821016f168bb85b689f60dc91 Mon Sep 17 00:00:00 2001 From: sinikang Date: Wed, 5 Feb 2020 16:26:57 +0900 Subject: [PATCH] Fix SVACE issue - WGID 422160, 422365, 422367, 425152 - add null termination after memcpy() - remove unreachable code Change-Id: Ia0409f2ba0156a0850a3778313eb1dc981b1c3fc Signed-off-by: sinikang --- include/type/sat.h | 36 ++++++++++++++++++------------------ packaging/libtcore.spec | 2 +- src/core_object/co_ps.c | 4 ---- src/core_object/co_sat.c | 27 ++++++++++++++++++++------- src/core_object/co_sim.c | 4 +++- src/util.c | 4 ++-- 6 files changed, 44 insertions(+), 33 deletions(-) mode change 100755 => 100644 include/type/sat.h diff --git a/include/type/sat.h b/include/type/sat.h old mode 100755 new mode 100644 index 70e1645..28952ef --- a/include/type/sat.h +++ b/include/type/sat.h @@ -155,7 +155,7 @@ struct tel_sat_address{ enum type_of_number ton; enum numbering_plan_identifier npi; int dialing_number_len; /**< Dialing Number length */ - char dialing_number[SAT_DIALING_NUMBER_LEN_MAX]; /**< Dialing Number*/ + char dialing_number[SAT_DIALING_NUMBER_LEN_MAX + 1]; /**< Dialing Number*/ }; /* @@ -173,7 +173,7 @@ struct tel_sat_alpha_identifier{ */ struct tel_sat_subaddress{ int subaddress_len; - char subaddress[SAT_SUB_ADDR_LEN_MAX]; + char subaddress[SAT_SUB_ADDR_LEN_MAX + 1]; }; /* @@ -181,7 +181,7 @@ struct tel_sat_subaddress{ */ struct tel_sat_ccp{ int data_len; - char data[SAT_CCP_DATA_LEN_MAX]; + char data[SAT_CCP_DATA_LEN_MAX + 1]; }; /* @@ -533,7 +533,7 @@ enum sms_tpdu_type{ struct tel_sat_sms_tpdu{ enum sms_tpdu_type tpdu_type; int data_len; - char data[SAT_SMS_TPDU_SMS_DATA_LEN_MAX]; + char data[SAT_SMS_TPDU_SMS_DATA_LEN_MAX + 1]; }; /* @@ -543,7 +543,7 @@ struct tel_sat_ss_string{ enum type_of_number ton; enum numbering_plan_identifier npi; unsigned char string_len; /**< SS string length */ - char ss_string[SAT_SS_STRING_LEN_MAX]; /**< SS stringr*/ + char ss_string[SAT_SS_STRING_LEN_MAX + 1]; /**< SS stringr*/ }; /* @@ -553,7 +553,7 @@ struct tel_sat_text_string_object{ int is_digit_only; struct data_coding_scheme dcs; int string_length; - char string[SAT_TEXT_STRING_LEN_MAX+1]; + char string[SAT_TEXT_STRING_LEN_MAX + 1]; }; /* @@ -608,7 +608,7 @@ struct tel_sat_tone{ struct tel_sat_ussd_string{ struct data_coding_scheme dsc; unsigned char string_len; /**< USSD string length */ - char ussd_string[SAT_USSD_STRING_LEN_MAX]; /**< USSD stringr*/ + char ussd_string[SAT_USSD_STRING_LEN_MAX + 1]; /**< USSD stringr*/ }; /* @@ -736,8 +736,8 @@ struct tel_sat_icon{ enum tel_sim_img_coding_scheme ics; unsigned short icon_data_len; unsigned short clut_data_len; - char icon_file[SAT_IMG_DATA_FILE_PATH_LEN_MAX]; - char clut_file[SAT_IMG_DATA_FILE_PATH_LEN_MAX]; + char icon_file[SAT_IMG_DATA_FILE_PATH_LEN_MAX + 1]; + char clut_file[SAT_IMG_DATA_FILE_PATH_LEN_MAX + 1]; }; struct tel_sat_icon_identifier{ @@ -776,7 +776,7 @@ struct tel_sat_date_time_and_timezone{ */ struct tel_sat_dtmf_string{ int dtmf_length; - char dtmf_string[SAT_DTMF_STRING_LEN_MAX]; + char dtmf_string[SAT_DTMF_STRING_LEN_MAX + 1]; }; /* @@ -804,7 +804,7 @@ enum browser_identity{ */ struct tel_sat_url{ int url_length; - char url[SAT_URL_LEN_MAX]; + char url[SAT_URL_LEN_MAX + 1]; }; /* @@ -828,7 +828,7 @@ struct tel_sat_bearer_list{ */ struct tel_sat_provisioning_file_ref{ int file_path_length; - char file_path[SAT_PROVISIONING_FILE_PATH_LEN_MAX]; + char file_path[SAT_PROVISIONING_FILE_PATH_LEN_MAX + 1]; }; @@ -1019,7 +1019,7 @@ struct tel_sat_bearer_description{ */ struct tel_sat_channel_data{ unsigned char data_string_len; /**< channel data string length */ - char data_string[SAT_CHANNEL_DATA_STRING_LEN_MAX]; + char data_string[SAT_CHANNEL_DATA_STRING_LEN_MAX + 1]; }; /* @@ -1073,7 +1073,7 @@ enum address_type{ struct tel_sat_other_address{ enum address_type address_type; /**< channel address type */ unsigned char address_len; /**< channel address length */ - char address[SAT_OTHER_ADDR_LEN_MAX]; /**< channel address */ + char address[SAT_OTHER_ADDR_LEN_MAX + 1]; /**< channel address */ }; /* @@ -1096,7 +1096,7 @@ struct tel_sat_uicc_terminal_interface_transport_level{ struct tel_sat_application_identifier { gboolean b_is_exist; unsigned short length; - unsigned char identifier[SAT_AID_LEN_MAX]; /* length is 16 byte, Refer TS 101.220 */ + unsigned char identifier[SAT_AID_LEN_MAX + 1]; /* length is 16 byte, Refer TS 101.220 */ }; /* @@ -1111,7 +1111,7 @@ enum remote_entity_coding_type{ struct tel_sat_remote_entity_address{ enum remote_entity_coding_type coding_type; unsigned short length; - unsigned char remote_entity_address[SAT_REMOTE_ENTITY_ADDR_LEN_MAX]; + unsigned char remote_entity_address[SAT_REMOTE_ENTITY_ADDR_LEN_MAX + 1]; }; /* @@ -1119,7 +1119,7 @@ struct tel_sat_remote_entity_address{ */ struct tel_sat_network_access_name{ unsigned short length; - unsigned char network_access_name[SAT_NET_ACC_NAM_LEN_MAX]; + unsigned char network_access_name[SAT_NET_ACC_NAM_LEN_MAX + 1]; }; /* @@ -1531,7 +1531,7 @@ struct tel_sat_envelop_sms_pp_download_tlv { struct tel_sat_envelop_raw_data_tlv { int data_len; - unsigned char data[SAT_ENVELOPE_DATA_LEN_MAX]; + unsigned char data[SAT_ENVELOPE_DATA_LEN_MAX + 1]; }; struct treq_sat_envelop_cmd_data{ diff --git a/packaging/libtcore.spec b/packaging/libtcore.spec index 0b50593..ae80625 100644 --- a/packaging/libtcore.spec +++ b/packaging/libtcore.spec @@ -1,6 +1,6 @@ %define major 0 %define minor 3 -%define patchlevel 30 +%define patchlevel 31 Name: libtcore Version: %{major}.%{minor}.%{patchlevel} diff --git a/src/core_object/co_ps.c b/src/core_object/co_ps.c index cacaa30..0fe14c4 100644 --- a/src/core_object/co_ps.c +++ b/src/core_object/co_ps.c @@ -628,12 +628,8 @@ CoreObject *tcore_ps_ref_context_by_role(CoreObject *o, enum co_context_role rol continue; pdp_o = list->data; - if (!pdp_o) - continue; - if (tcore_object_get_type(pdp_o) != CORE_OBJECT_TYPE_PS_CONTEXT) continue; - if (tcore_context_get_role(pdp_o) == role) return pdp_o; } diff --git a/src/core_object/co_sat.c b/src/core_object/co_sat.c index 0fb033a..9f6fdef 100644 --- a/src/core_object/co_sat.c +++ b/src/core_object/co_sat.c @@ -481,8 +481,9 @@ static enum tcore_sat_result _sat_decode_address_tlv(unsigned char *tlv_str, int _sat_decode_ton_npi(src_data[temp_index++], &address_obj->ton, &address_obj->npi); str_ascii = tcore_util_convert_bcd2ascii((const char *)&src_data[temp_index], address_len - 1, SAT_DIALING_NUMBER_LEN_MAX); if (str_ascii) { - memcpy(address_obj->dialing_number, str_ascii, strlen(str_ascii)); - address_obj->dialing_number_len = strlen(str_ascii); + address_obj->dialing_number_len = (strlen(str_ascii) > SAT_DIALING_NUMBER_LEN_MAX) ? SAT_DIALING_NUMBER_LEN_MAX : strlen(str_ascii); + strncpy(address_obj->dialing_number, str_ascii, address_obj->dialing_number_len); + address_obj->dialing_number[address_obj->dialing_number_len] = 0x00; g_free(str_ascii); } } @@ -562,8 +563,10 @@ static enum tcore_sat_result _sat_decode_subaddress_tlv(unsigned char *tlv_str, /* bIsComprehensionPartial = TRUE; */ sub_address_obj->subaddress_len = 0; } - } else + } else { memcpy(sub_address_obj->subaddress, &src_data[temp_index], sub_address_obj->subaddress_len); + sub_address_obj->subaddress[sub_address_obj->subaddress_len] = 0x00; + } *consumed_data_len = 1 + len_of_len + sub_address_len; return TCORE_SAT_SUCCESS; @@ -691,8 +694,10 @@ static enum tcore_sat_result _sat_decode_sub_address_tlv(unsigned char *tlv_str, return TCORE_SAT_COMMAND_NOT_UNDERSTOOD; else sub_address_obj->subaddress_len = 0; - } else + } else { memcpy(sub_address_obj->subaddress, &src_data[temp_index], sub_address_obj->subaddress_len); + sub_address_obj->subaddress[sub_address_obj->subaddress_len] = 0x00; + } dbg("[SAT] SAT PARSER - subAddressLen=%d", sub_address_obj->subaddress_len); for (i = 0; i < sub_address_obj->subaddress_len; i++) @@ -761,8 +766,10 @@ static enum tcore_sat_result _sat_decode_ccp_tlv(unsigned char *tlv_str, int tlv return TCORE_SAT_COMMAND_NOT_UNDERSTOOD; else ccp_obj->data_len = 0; - } else + } else { memcpy(ccp_obj->data, &src_data[temp_index], ccp_obj->data_len); + ccp_obj->data[ccp_obj->data_len] = 0x00; + } dbg("[SAT] SAT PARSER - ccp len=%d", ccp_obj->data_len); for (i = 0; i < ccp_obj->data_len; i++) @@ -1045,6 +1052,7 @@ static enum tcore_sat_result _sat_decode_sms_tpdu_tlv(unsigned char *tlv_str, in /* data */ memcpy(sms_tpdu_obj->data, &src_data[temp_index], sms_tpdu_obj->data_len); + sms_tpdu_obj->data[sms_tpdu_obj->data_len] = 0x00; dbg("[SAT] SAT PARSER tpdu_len (%d)", sms_tpdu_obj->data_len); *consumed_data_len = 1 + len_of_len + tpdu_len; @@ -1346,6 +1354,7 @@ static enum tcore_sat_result _sat_decode_ussd_string_tlv(unsigned char *tlv_str, _sat_decode_dcs(src_data[temp_index++], &ussd_str_obj->dsc); ussd_str_obj->string_len = ussd_len - 1; memcpy(ussd_str_obj->ussd_string, &src_data[temp_index], ussd_str_obj->string_len); + ussd_str_obj->ussd_string[ussd_str_obj->string_len] = 0x00; /* 1 is the length of Tag. */ *consumed_data_len = 1 + len_of_len + ussd_len; @@ -1791,8 +1800,9 @@ static enum tcore_sat_result _sat_decode_dtmf_string_tlv(unsigned char *tlv_str, if (dtmf_len > 0) { str_ascii = tcore_util_convert_bcd2ascii((const char *)&src_data[temp_index], dtmf_len, SAT_DTMF_STRING_LEN_MAX); if (str_ascii) { - memcpy(dtmf_string_obj->dtmf_string, str_ascii, strlen(str_ascii)); - dtmf_string_obj->dtmf_length = strlen(str_ascii); + dtmf_string_obj->dtmf_length = (strlen(str_ascii) > SAT_DTMF_STRING_LEN_MAX) ? SAT_DTMF_STRING_LEN_MAX : strlen(str_ascii); + strncpy(dtmf_string_obj->dtmf_string, str_ascii, dtmf_string_obj->dtmf_length); + dtmf_string_obj->dtmf_string[dtmf_string_obj->dtmf_length] = 0x00; g_free(str_ascii); } } @@ -1952,6 +1962,7 @@ static enum tcore_sat_result _sat_decode_url_tlv(unsigned char *tlv_str, int tlv } memcpy(url->url, &src_data[temp_index], url_len); + url->url[url_len] = 0x00; dbg("[SAT] url(%s)", url->url); *consumed_data_len = 1 + len_of_len + url_len; @@ -2202,6 +2213,7 @@ static enum tcore_sat_result _sat_decode_channel_data_tlv(unsigned char *tlv_str /* data */ channel_data_obj->data_string_len = channel_data_len; memcpy(channel_data_obj->data_string, &src_data[temp_index], channel_data_len); + channel_data_obj->data_string[channel_data_len] = 0x00; *consumed_data_len = 1 + len_of_len + channel_data_len; return TCORE_SAT_SUCCESS; @@ -2446,6 +2458,7 @@ static enum tcore_sat_result _sat_decode_remote_entity_address_tlv(unsigned char remote_address_obj->length = remote_data_len - 1; memcpy(remote_address_obj->remote_entity_address, &src_data[temp_index], remote_address_obj->length); + remote_address_obj->remote_entity_address[remote_address_obj->length] = 0x00; *consumed_data_len = 1 + len_of_len + remote_data_len; return TCORE_SAT_SUCCESS; diff --git a/src/core_object/co_sim.c b/src/core_object/co_sim.c index 0dc3d48..23283e4 100644 --- a/src/core_object/co_sim.c +++ b/src/core_object/co_sim.c @@ -48,6 +48,8 @@ #define SIM_FTYPE_DF 0x2 #define SIM_FTYPE_EF 0x4 +#define MAX_BUF_SIZE 255 + struct private_object_data { struct tcore_sim_operations *ops[TCORE_OPS_TYPE_MAX]; @@ -2650,7 +2652,7 @@ gboolean tcore_sim_decode_isim_pcscf(struct tel_sim_pcscf *p_out, unsigned char p_out->pcscf = calloc(1, len); memcpy(p_out->pcscf, &p_in[3], len-1); } else { - unsigned char buf[255] = {0, }; + unsigned char buf[MAX_BUF_SIZE + 1] = {0, }; unsigned short buf_len; gboolean ret = FALSE; diff --git a/src/util.c b/src/util.c index 695b50a..50a21e5 100644 --- a/src/util.c +++ b/src/util.c @@ -258,9 +258,9 @@ static void _convert_gsm_to_utf8(unsigned char *dest, unsigned short *dest_len, return; } - *dest_len = strlen((const char *)target_tmp); dbg("utf8 (%s), len(%d)", (const char *)target_tmp, strlen((const char *)target_tmp)); - memcpy(dest, target_tmp, strlen((const char *)target_tmp)); + *dest_len = (strlen(target_tmp) >= MAX_BUF_SIZE) ? MAX_BUF_SIZE - 1 : strlen(target_tmp); + memcpy(dest, target_tmp, *dest_len); dbg("final utf8 str (%s), length (%d)", dest, tmp_len); g_free(raw_unicode); -- 2.7.4