1. 27 Jan, 2023 1 commit
  2. 26 Jan, 2023 2 commits
  3. 22 Dec, 2022 1 commit
    • Daniele Palmas's avatar
      libmbim-glib,tlv: allow 0-length strings for MBIM_TLV_TYPE_WCHAR_STR · 23363567
      Daniele Palmas authored
      Document Microsoft MBIM Extensions for 5G (rev 1.17) considers the possibility
      of having wchar strings tlvs with datalength == 0 in the information buffer
      (e.g. AccessString field in MBIM_CONNECT_INFO_EX3 data structure).
      
      Modify mbim_tlv_string_get for dealing with these situations, returning an
      empty string.
      23363567
  4. 06 Dec, 2022 1 commit
  5. 05 Dec, 2022 1 commit
  6. 01 Dec, 2022 7 commits
  7. 28 Nov, 2022 3 commits
  8. 22 Nov, 2022 3 commits
  9. 11 Nov, 2022 2 commits
  10. 02 Nov, 2022 1 commit
  11. 31 Oct, 2022 1 commit
    • Aleksander Morgado's avatar
      libmbim-glib,message: fix validation of complete fragment · 37825b4e
      Aleksander Morgado authored
      For messages that may be composed of multiple fragments, the
      _mbim_message_validate_type_header() method would validate wether the
      fragment header can be read or not, because not all fragments contain
      the additional type-specific header contents.
      
      But once the message is complete with all fragments, the message
      validation must also ensure that the type-specific header contets are
      readable before attempting to read them, or we will end up with
      invalid memory reads.
      
      Detected via ASAN+Fuzzing:
        ==5169==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6030000bc9ac at pc 0x55a9fc0d536d bp 0x7ffc556bb7b0 sp 0x7ffc556bb7a8
        READ of size 4 at 0x6030000bc9ac thread T0
            #0 0x55a9fc0d536c in _mbim_message_validate_complete_fragment libmbim-9999-build/../libmbim-9999/src/libmbim-glib/mbim-message.c:239:28
            #1 0x55a9fc0baf40 in _mbim_message_validate_fragment libmbim-9999-build/../libmbim-9999/src/libmbim-glib/mbim-message.c:279:12
            #2 0x55a9fc0ba7a1 in mbim_message_validate libmbim-9999-build/../libmbim-9999/src/libmbim-glib/mbim-message.c:292:12
            #3 0x55a9fc0b9af1 in LLVMFuzzerTestOneInput libmbim-9999-build/../libmbim-9999/src/libmbim-glib/test/test-message-fuzzer.c:25:5
      37825b4e
  12. 26 Oct, 2022 3 commits
  13. 19 Oct, 2022 2 commits
    • Aleksander Morgado's avatar
      e6261dac
    • Aleksander Morgado's avatar
      mbim-device: emit SIGNAL_ERROR only after completing the task · fbcacbb8
      Aleksander Morgado authored
      The task completion involves creating a duplicate of the MbimMessage,
      so a duplicate of the contents of the internal `self->priv->response`
      buffer.
      
      This internal buffer may be cleared e.g. with a forced-close, which
      users of the MbimDevice may decide to do upon a SIGNAL_ERROR, as the
      mbim-proxy does.
      
      So, avoid this race by making sure the task completion and the message
      duplication happens before the SIGNAL_ERROR is emitted.
      
         Thread 0(id: 3296) CRASHED [ SIGSEGV /0x00000000@0x0000000000000004 ]
         0x00007ce3552f7c32 (libmbim-glib.so.4 - mbim-message.c: 1293) mbim_message_dup
         0x00007ce3552fbfd9 (libmbim-glib.so.4 - mbim-device.c: 661) data_available
         0x00007ce35525639a (libglib-2.0.so.0 - gmain.c: 3325) g_main_context_dispatch
         0x00007ce3552566a7 (libglib-2.0.so.0 - gmain.c: 4119) g_main_context_iterate
         0x00007ce355256923 (libglib-2.0.so.0 - gmain.c: 4317) g_main_loop_run
         0x00005ae0f48a5524 (mbim-proxy - mbim-proxy.c: 267) main
         0x00007ce35501ce04 (libc.so.6) __libc_start_main
         0x00005ae0f48a52d9 (mbim-proxy) _start
         0x00007ffcca5b6897
      
      Fixes ModemManager#422
      fbcacbb8
  14. 12 Oct, 2022 1 commit
  15. 10 Oct, 2022 1 commit
  16. 04 Oct, 2022 2 commits
  17. 03 Oct, 2022 8 commits