Parser is not robust against malformed messages
One of our security team researchers was tinkering with the message parser and made it segfault:
diff --git a/src/libmbim-glib/test/test-message-parser.c b/src/libmbim-glib/test/test-message-parser.c
index 6fbd3f8..16da951 100644
--- a/src/libmbim-glib/test/test-message-parser.c
+++ b/src/libmbim-glib/test/test-message-parser.c
@@ -95,8 +95,8 @@ test_message_parser_basic_connect_visible_providers (void)
0x4C, 0x00, 0x00, 0x00, /* 0x0C provider 1 offset */
0x38, 0x00, 0x00, 0x00, /* 0x10 provider 1 length */
/* data buffer... struct provider 0 */
- 0x20, 0x00, 0x00, 0x00, /* 0x14 [0x00] id offset */
- 0x0A, 0x00, 0x00, 0x00, /* 0x18 [0x04] id length */
+ 0x20, 0x00, 0x00, 0x80, /* 0x14 [0x00] id offset */
+ 0x0A, 0x00, 0x00, 0x80, /* 0x18 [0x04] id length */
0x08, 0x00, 0x00, 0x00, /* 0x1C [0x08] state */
0x2C, 0x00, 0x00, 0x00, /* 0x20 [0x0C] name offset */
0x0C, 0x00, 0x00, 0x00, /* 0x24 [0x10] name length */
$ src/libmbim-glib/test/test-message-parser
# random seed: R02Sd78c19b2e0eaac34fc30f89217409688
1..21
# Start of libmbim-glib tests
# Start of message tests
# Start of parser tests
ok 1 /libmbim-glib/message/parser/ussd
# Start of basic-connect tests
Segmentation faultI think libmbim's parser should be able to reject messages like these without potentially causing the program using them to crash. However, tracking down all issues like this may be difficult, so it might be good to sign up the mobile broadband projects with OSS-Fuzz or something of that sort.