diff options
author | Archana Polampalli <archana.polampalli@windriver.com> | 2024-05-03 11:41:53 +0000 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2024-05-03 06:44:39 -0700 |
commit | 996c03dfb5295ec38286dee37c70c700b88e0a1e (patch) | |
tree | c46759fd40a561859c384a82f6d8ae5ee1150b05 /meta/recipes-connectivity | |
parent | 51cf006ac7b5b97e65864fb1cb6f5b47192c4ebf (diff) | |
download | openembedded-core-contrib-996c03dfb5295ec38286dee37c70c700b88e0a1e.tar.gz |
ofono: fix CVE-2023-4233
A flaw was found in ofono, an Open Source Telephony on Linux. A stack overflow bug
is triggered within the sms_decode_address_field() function during the SMS
PDU decoding. It is assumed that the attack scenario is accessible from a compromised
modem, a malicious base station, or just SMS.
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/recipes-connectivity')
-rw-r--r-- | meta/recipes-connectivity/ofono/ofono/CVE-2023-4233.patch | 32 | ||||
-rw-r--r-- | meta/recipes-connectivity/ofono/ofono_1.34.bb | 1 |
2 files changed, 33 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/ofono/ofono/CVE-2023-4233.patch b/meta/recipes-connectivity/ofono/ofono/CVE-2023-4233.patch new file mode 100644 index 0000000000..d047a0d87a --- /dev/null +++ b/meta/recipes-connectivity/ofono/ofono/CVE-2023-4233.patch @@ -0,0 +1,32 @@ +From 1a5fbefa59465bec80425add562bdb1d36ec8e23 Mon Sep 17 00:00:00 2001 +From: Denis Grigorev <d.grigorev@omp.ru> +Date: Fri, 29 Dec 2023 13:30:04 +0300 +Subject: [PATCH] smsutil: Validate the length of the address field + +This addresses CVE-2023-4233. + +CVE: CVE-2023-4233 + +Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=1a5fbefa59465bec] + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + src/smsutil.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/smsutil.c b/src/smsutil.c +index 5a12708..8dd2126 100644 +--- a/src/smsutil.c ++++ b/src/smsutil.c +@@ -626,6 +626,9 @@ gboolean sms_decode_address_field(const unsigned char *pdu, int len, + + if (!next_octet(pdu, len, offset, &addr_len)) + return FALSE; ++ /* According to 23.040 9.1.2.5 Address-Length must not exceed 20 */ ++ if (addr_len > 20) ++ return FALSE; + + if (sc && addr_len == 0) { + out->address[0] = '\0'; +-- +2.40.0 diff --git a/meta/recipes-connectivity/ofono/ofono_1.34.bb b/meta/recipes-connectivity/ofono/ofono_1.34.bb index 8aab312ff8..f4548b8a30 100644 --- a/meta/recipes-connectivity/ofono/ofono_1.34.bb +++ b/meta/recipes-connectivity/ofono/ofono_1.34.bb @@ -13,6 +13,7 @@ SRC_URI = "\ file://0001-mbim-add-an-optional-TEMP_FAILURE_RETRY-macro-copy.patch \ file://0002-mbim-Fix-build-with-ell-0.39-by-restoring-unlikely-m.patch \ file://CVE-2023-4234.patch \ + file://CVE-2023-4233.patch \ " SRC_URI[sha256sum] = "c0b96d3013447ec2bcb74579bef90e4e59c68dbfa4b9c6fbce5d12401a43aac7" |