Skip to content

libmbim-glib,message: fix validation of complete fragment

Aleksander Morgado requested to merge aleksm/libmbim:aleksander/fix-validate-fragments into main

For messages that may be composed of multiple fragments, the _mbim_message_validate_type_header() method would validate wether the fragment header can be read or not, because not all fragments contain the additional type-specific header contents.

But once the message is complete with all fragments, the message validation must also ensure that the type-specific header contets are readable before attempting to read them, or we will end up with invalid memory reads.

Detected via ASAN+Fuzzing:

  ==5169==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6030000bc9ac at pc 0x55a9fc0d536d bp 0x7ffc556bb7b0 sp 0x7ffc556bb7a8
  READ of size 4 at 0x6030000bc9ac thread T0
      #0 0x55a9fc0d536c in _mbim_message_validate_complete_fragment libmbim-9999-build/../libmbim-9999/src/libmbim-glib/mbim-message.c:239:28
      #1 0x55a9fc0baf40 in _mbim_message_validate_fragment libmbim-9999-build/../libmbim-9999/src/libmbim-glib/mbim-message.c:279:12
      #2 0x55a9fc0ba7a1 in mbim_message_validate libmbim-9999-build/../libmbim-9999/src/libmbim-glib/mbim-message.c:292:12
      #3 0x55a9fc0b9af1 in LLVMFuzzerTestOneInput libmbim-9999-build/../libmbim-9999/src/libmbim-glib/test/test-message-fuzzer.c:25:5

Merge request reports