diff options
author | Aleksander Morgado <aleksandermj@chromium.org> | 2023-03-10 08:56:11 +0000 |
---|---|---|
committer | Aleksander Morgado <aleksandermj@chromium.org> | 2023-03-10 08:56:11 +0000 |
commit | 9f5fcc6d0e00cc062de5c2ee4398be02c1fa2009 (patch) | |
tree | bbc372b13cfd184f3185a82318aabda6a6cb6a5d | |
parent | fee04486fcff71934b97bbc39e1f676e78b49e6c (diff) | |
download | libqmi-9f5fcc6d0e00cc062de5c2ee4398be02c1fa2009.tar.gz |
libqmi-glib,message: fix invalid memory read when parsing random data
==632689== Use of uninitialised value of size 8
==632689== at 0x4D5B94B: _itoa_word (_itoa.c:177)
==632689== by 0x4D66CF8: __vfprintf_internal (vfprintf-process-arg.c:164)
==632689== by 0x4D88245: __vasprintf_internal (vasprintf.c:57)
==632689== by 0x4C7661D: g_vasprintf (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7400.2)
==632689== by 0x4C47E3C: g_strdup_vprintf (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7400.2)
==632689== by 0x4C0FFAE: g_error_new_valist (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7400.2)
==632689== by 0x4C1065A: g_set_error (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7400.2)
==632689== by 0x4900781: message_check.isra.0 (qmi-message.c:323)
==632689== by 0x49031EC: qmi_message_new_from_raw (qmi-message.c:1529)
==632689== by 0x111F78: test_message_parse_common (test-message.c:91)
==632689== by 0x112206: test_message_parse_wrong_qmux (test-message.c:116)
==632689== by 0x4C5064D: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7400.2)
-rw-r--r-- | src/libqmi-glib/qmi-message.c | 2 | ||||
-rw-r--r-- | src/libqmi-glib/test/test-message.c | 26 |
2 files changed, 25 insertions, 3 deletions
diff --git a/src/libqmi-glib/qmi-message.c b/src/libqmi-glib/qmi-message.c index cdb49ef2..a51b77e1 100644 --- a/src/libqmi-glib/qmi-message.c +++ b/src/libqmi-glib/qmi-message.c @@ -324,7 +324,7 @@ message_check (QmiMessage *self, QMI_CORE_ERROR, QMI_CORE_ERROR_INVALID_MESSAGE, "QMUX length too short for QMUX header (%u < %" G_GSIZE_FORMAT ")", - get_qmux_length (self), sizeof (struct qmux)); + self->len, 1 + sizeof (struct qmux)); return FALSE; } diff --git a/src/libqmi-glib/test/test-message.c b/src/libqmi-glib/test/test-message.c index 24eac989..93eb3e78 100644 --- a/src/libqmi-glib/test/test-message.c +++ b/src/libqmi-glib/test/test-message.c @@ -90,8 +90,12 @@ test_message_parse_common (const guint8 *buffer, message = qmi_message_new_from_raw (array, &error); if (!message) { - if (error && (n_messages < n_expected_messages)) - g_printerr ("error creating message from raw data: '%s'\n", error->message); + if (error) { + if (n_messages < n_expected_messages) + g_printerr ("error creating message from raw data: '%s'\n", error->message); + else + g_debug ("error creating message from raw data: '%s'", error->message); + } break; } @@ -105,6 +109,22 @@ test_message_parse_common (const guint8 *buffer, } static void +test_message_parse_wrong_qmux (void) +{ + const guint8 buffer[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x0a }; + + test_message_parse_common (buffer, sizeof (buffer), 0); +} + +static void +test_message_parse_tiny (void) +{ + const guint8 buffer[] = { 0x01, 0x00, 0x02 }; + + test_message_parse_common (buffer, sizeof (buffer), 0); +} + +static void test_message_parse_short (void) { const guint8 buffer[] = { @@ -1601,6 +1621,8 @@ int main (int argc, char **argv) { g_test_init (&argc, &argv, NULL); + g_test_add_func ("/libqmi-glib/message/parse/wrong-qmux", test_message_parse_wrong_qmux); + g_test_add_func ("/libqmi-glib/message/parse/tiny", test_message_parse_tiny); g_test_add_func ("/libqmi-glib/message/parse/short", test_message_parse_short); g_test_add_func ("/libqmi-glib/message/parse/complete", test_message_parse_complete); g_test_add_func ("/libqmi-glib/message/parse/complete-and-short", test_message_parse_complete_and_short); |