Fix bugs found in security audit of gobi3k-sdk

BUG=chromeos-partner:4395 TEST=Adhoc Change-Id: I038c69daf7a88eeafd546cb0bb1beec921326c87 Reviewed-on: https://gerrit-int.chromium.org/2051 Reviewed-by: Elly Jones <ellyjones@google.com> Reviewed-by: Jason Glasgow <jglasgow@google.com> Reviewed-by: ttuttle <ttuttle@chromium.org> Tested-by: ttuttle <ttuttle@chromium.org>
2011-06-07 14:15:34 -04:00 · 2011-06-07 14:15:34 -04:00 · a5e26cca81
parent 0287908d5c
commit a5e26cca81
3 changed files with 13 additions and 3 deletions
--- a/fixed-GobiAPI-1.0.40/Core/DB2Utilities.cpp
+++ b/fixed-GobiAPI-1.0.40/Core/DB2Utilities.cpp
@ -770,7 +770,17 @@ sSharedBuffer * DB2PackQMIBuffer(
         }
      }

+      if (bufLen + (ULONG)sizeof(sQMIRawContentHeader) < bufLen)
+      {
+         bOK = false;
+         break;
+      }
      bufLen += (ULONG)sizeof(sQMIRawContentHeader);
+      if (bufLen + packedLen < bufLen)
+      {
+         bOK = false;
+         break;
+      }
      bufLen += packedLen;

      // What we are building cannot be too large
--- a/fixed-GobiAPI-1.0.40/Core/DataParser.cpp
+++ b/fixed-GobiAPI-1.0.40/Core/DataParser.cpp
@ -574,8 +574,8 @@ bool sParsedField::ParseString(
   ULONG                      numChars,
   cBitParser &               bp )
 {
-   // Validate size
-   if (MAX_SHARED_BUFFER_SIZE < numChars)
+   // Validate size (including '\0')
+   if (MAX_SHARED_BUFFER_SIZE < numChars + 1)
   {
      return false;
   }
--- a/fixed-GobiAPI-1.0.40/Shared/GobiQMICoreNAS.cpp
+++ b/fixed-GobiAPI-1.0.40/Shared/GobiQMICoreNAS.cpp
@ -267,7 +267,7 @@ eGobiError cGobiQMICore::GetSignalStrengths(
   {
      ULONG fi = 0;
      ULONG auxSigs = (ULONG)pf[fi++].mValue.mU16;
-      if (pf.size() <= 1 + 2 * auxSigs)
+      if (pf.size() >= 1 + 2 * auxSigs)
      {
         for (ULONG s = 0; s < auxSigs; s++, fi += 2)
         {