Bug 1031738

Summary: libqmi: harden application-level encoders and decoders
Product: Red Hat Enterprise Linux 7 Reporter: Florian Weimer <fweimer>
Component: libqmiAssignee: Thomas Haller <thaller>
Status: CLOSED ERRATA QA Contact: Desktop QE <desktop-qa-list>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: aloughla, dcbw, fweimer, kdube, rkhan, thaller, tlavigne, tpelka, vbenes
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 13:31:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1024057, 1031731, 1110708, 1113520    

Description Florian Weimer 2013-11-18 16:33:41 UTC 
When reading strings, the generated *_validate functions do not check if the buffer has space for the length field.  It seems that this can lead to an assert when decoding a message.

The generated function __qmi_message_dms_set_firmware_preference_request_create() calls qmi_utils_write_string_to_buffer() in a loop.  It is not immediately obvious why the statically allocated target buffer has sufficient storage space for all those strings.  In other cases, only a single PASCAL string is written to a buffer which has slightly less than 1024 bytes, which should be okay.

I don't know where the data comes from and if an untrusted source might trigger crashes this way, hence the private bug.
Comment 7 Thomas Haller 2014-10-08 09:42:12 UTC 
Upstream fix:

http://cgit.freedesktop.org/libqmi/commit/?id=451d627530686833fd5fffba9d412dfa9fe41fc5 qmi-codegen: make sure expected len is 4 bytes

http://cgit.freedesktop.org/libqmi/commit/?id=150768f6bba84182e7d3a956c36d5a7d27129759 qmi-codegen: error out if invalid array size element in JSON

http://cgit.freedesktop.org/libqmi/commit/?id=b439d6d13ec8a8e4ff247b7d042424f10574aa84 qmi-codegen: avoid buffer overlow in emit_input_tlv_add()

http://cgit.freedesktop.org/libqmi/commit/?id=c744b04814098ea3647de8d618bd88e5554e1a26 libqmi,utils: assert input buffer size when writing strings to buffer

http://cgit.freedesktop.org/libqmi/commit/?id=471d038fe38f7b99383f9654dcc8f6662d96e6f8 qmi-codegen: ensure enough buffer available to read string/array size variable
Comment 12 errata-xmlrpc 2015-03-05 13:31:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0579.html