From 412ed596b94526fa8acbaba2a9112ff01a4d1c54 Mon Sep 17 00:00:00 2001 From: Denis Kenzior Date: Thu, 17 Jun 2010 04:24:08 -0500 Subject: [PATCH] Fix: potential to crash in atmodem Some callbacks in call-meter were assuming that a modem follows 27.007 and actually returns a string. Some modems don't return a string that is properly formatted (e.g. in quotes). The strtol was thus accessing uninitialized memory and crashing ofono. --- drivers/atmodem/call-meter.c | 34 ++++++++++++++++++++-------------- 1 file changed, 20 insertions(+), 14 deletions(-) diff --git a/drivers/atmodem/call-meter.c b/drivers/atmodem/call-meter.c index 422056eb..38774d41 100644 --- a/drivers/atmodem/call-meter.c +++ b/drivers/atmodem/call-meter.c @@ -65,19 +65,21 @@ static void caoc_cacm_camm_query_cb(gboolean ok, g_at_result_iter_init(&iter, result); - if (!g_at_result_iter_next(&iter, cbd->user)) { - CALLBACK_WITH_FAILURE(cb, -1, cbd->data); - return; - } + if (!g_at_result_iter_next(&iter, cbd->user)) + goto error; + + if (g_at_result_iter_next_string(&iter, &meter_hex) == FALSE) + goto error; - g_at_result_iter_next_string(&iter, &meter_hex); meter = strtol(meter_hex, &end, 16); - if (*end) { - CALLBACK_WITH_FAILURE(cb, -1, cbd->data); - return; - } + if (*end) + goto error; cb(&error, meter, cbd->data); + return; + +error: + CALLBACK_WITH_FAILURE(cb, -1, cbd->data); } static void cccm_notify(GAtResult *result, gpointer user_data) @@ -93,14 +95,18 @@ static void cccm_notify(GAtResult *result, gpointer user_data) if (!g_at_result_iter_next(&iter, "+CCCM:")) return; - g_at_result_iter_next_string(&iter, &meter_hex); + if (g_at_result_iter_next_string(&iter, &meter_hex) == FALSE) + goto error; + meter = strtol(meter_hex, &end, 16); - if (*end) { - ofono_error("Invalid CCCM value"); - return; - } + if (*end) + goto error; ofono_call_meter_changed_notify(cm, meter); + return; + +error: + ofono_error("Invalid CCCM value"); } static void at_caoc_query(struct ofono_call_meter *cm,