There were two issues here, the report_buffer is too small to hold the
value, and accessing the memory outside its bounds. The following fixes
was made:
- Expand the size of report_buffer to 4096 from 256, this is to account
for handling of really long GSM USSD report strings
- Make sure to not to access memory outside the bounds of the buffer
Signed-off-by: Robert Bartel <r.bartel@gmx.net>
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
int clear_abort_next = 0;
char *report_string[MAX_REPORTS] ;
int clear_abort_next = 0;
char *report_string[MAX_REPORTS] ;
-char report_buffer[256] ;
+char report_buffer[4096] ;
int n_reports = 0, report_next = 0, report_gathering = 0 ;
int clear_report_next = 0;
int n_reports = 0, report_next = 0, report_gathering = 0 ;
int clear_report_next = 0;
else {
if (!iscntrl (c)) {
int rep_len = strlen (report_buffer);
else {
if (!iscntrl (c)) {
int rep_len = strlen (report_buffer);
- report_buffer[rep_len] = c;
- report_buffer[rep_len + 1] = '\0';
+ if ((rep_len + 1) < sizeof(report_buffer)) {
+ report_buffer[rep_len] = c;
+ report_buffer[rep_len + 1] = '\0';
+ }
}
else {
report_gathering = 0;
}
else {
report_gathering = 0;