Check received PDUs fit in the buffer, fix buffer size.

1 files changed, 14 insertions, 3 deletions

diff --git a/drivers/atmodem/sms.c b/drivers/atmodem/sms.c
index 3b7e9e42..d4258186 100644
--- a/drivers/atmodem/sms.c
+++ b/drivers/atmodem/sms.c
@@ -314,7 +314,7 @@ static void at_cmt_notify(GAtResult *result, gpointer user_data)
 	const char *hexpdu;
 	long pdu_len;
 	int tpdu_len;
-	unsigned char pdu[164];
+	unsigned char pdu[176];
 	char buf[256];
 
 	dump_response("at_cmt_notify", TRUE, result);
@@ -324,6 +324,11 @@ static void at_cmt_notify(GAtResult *result, gpointer user_data)
 		return;
 	}
 
+	if (strlen(hexpdu) > sizeof(pdu) * 2) {
+		ofono_error("Bad PDU length in CMT notification");
+		return;
+	}
+
 	ofono_debug("Got new SMS Deliver PDU via CMT: %s, %d", hexpdu, tpdu_len);
 
 	decode_hex_own_buf(hexpdu, -1, &pdu_len, 0, pdu);
@@ -344,7 +349,7 @@ static void at_cmgr_notify(GAtResult *result, gpointer user_data)
 	struct ofono_sms *sms = user_data;
 	GAtResultIter iter;
 	const char *hexpdu;
-	unsigned char pdu[164];
+	unsigned char pdu[176];
 	long pdu_len;
 	int tpdu_len;
 
@@ -366,6 +371,9 @@ static void at_cmgr_notify(GAtResult *result, gpointer user_data)
 
 	hexpdu = g_at_result_pdu(result);
 
+	if (strlen(hexpdu) > sizeof(pdu) * 2)
+		goto err;
+
 	ofono_debug("Got PDU: %s, with len: %d", hexpdu, tpdu_len);
 
 	decode_hex_own_buf(hexpdu, -1, &pdu_len, 0, pdu);
@@ -485,7 +493,7 @@ static void at_cmgl_notify(GAtResult *result, gpointer user_data)
 	struct sms_data *data = ofono_sms_get_data(sms);
 	GAtResultIter iter;
 	const char *hexpdu;
-	unsigned char pdu[164];
+	unsigned char pdu[176];
 	long pdu_len;
 	int tpdu_len;
 	int index;
@@ -518,6 +526,9 @@ static void at_cmgl_notify(GAtResult *result, gpointer user_data)
 		ofono_debug("Found an old SMS PDU: %s, with len: %d",
 				hexpdu, tpdu_len);
 
+		if (strlen(hexpdu) > sizeof(pdu) * 2)
+			continue;
+
 		decode_hex_own_buf(hexpdu, -1, &pdu_len, 0, pdu);
 		ofono_sms_deliver_notify(sms, pdu, pdu_len, tpdu_len);