Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7e9172a1 authored by Miao Chou's avatar Miao Chou Committed by Miao-chen Chou
Browse files

Fix security vulnerabilities in string operations 

This CL prevents functions, bta_ag_hfp_result and bta_hf_client_send_atd, from
the potential strings overflowing.

Bug: 20674686,20677309
Change-Id: Iaef720fc784e020f237feb86e17857bddf57bbfc
parent a00bde5a

system/bta/ag/bta_ag_cmd.c

+9 −8
Original line number Diff line number Diff line
@@ -21,19 +21,20 @@ 
 *  This file contains functions for processing AT commands and results.

 *

 ******************************************************************************/

#include <ctype.h>

#include <stdio.h>

#include <string.h>



#include "bt_target.h"

#include "bt_types.h"

#include "gki.h"

#include "bta_api.h"

#include "bta_sys.h"

#include "bta_ag_api.h"

#include "bta_ag_int.h"

#include "bta_ag_at.h"

#include "bta_ag_int.h"

#include "bta_api.h"

#include "bta_sys.h"

#include "gki.h"

#include "port_api.h"

#include "utl.h"

#include <stdio.h>

#include <string.h>

#include <ctype.h>





/*****************************************************************************
@@ -1484,7 +1485,7 @@ void bta_ag_hfp_result(tBTA_AG_SCB *p_scb, tBTA_AG_API_RESULT *p_result) 
            APPL_TRACE_DEBUG("CLIP type :%d", p_result->data.num);

            p_scb->clip[0] = 0;

            if (p_result->data.str[0] != 0)

                sprintf(p_scb->clip,"%s,%d", p_result->data.str, p_result->data.num);

                snprintf(p_scb->clip, sizeof(p_scb->clip), "%s,%d", p_result->data.str, p_result->data.num);



            /* send callsetup indicator */

            if (p_scb->post_sco == BTA_AG_POST_SCO_CALL_END)

system/bta/hf_client/bta_hf_client_at.c

+12 −9
Original line number Diff line number Diff line
@@ -16,9 +16,10 @@ 
 *  limitations under the License.

 *

 ******************************************************************************/

#include <errno.h>

#include <string.h>

#include <stdio.h>

#include <errno.h>



#include "bta_hf_client_api.h"

#include "bta_hf_client_int.h"

#include "port_api.h"
@@ -56,6 +57,9 @@ extern tBTA_HF_CLIENT_CB bta_hf_client_cb; 
#define BTA_HF_CLIENT_INDICATOR_CALLSETUP   "callsetup"

#define BTA_HF_CLIENT_INDICATOR_CALLHELD    "callheld"



#define MIN(a, b) \

    ({ __typeof__(a) _a = (a); __typeof__(b) _b = (b); (_a < _b) ? _a : _b; })



/* CIND: represents each indicators boundaries */

typedef struct

{
@@ -1652,15 +1656,14 @@ void bta_hf_client_send_at_atd(char *number, UINT32 memory) 


    APPL_TRACE_DEBUG("%s", __FUNCTION__);



    if (number[0] != '\0')

    {

    if (number[0] != '\0') {

        at_len = snprintf(buf, sizeof(buf), "ATD%s;\r", number);

    }

    else

    {

    } else {

        at_len = snprintf(buf, sizeof(buf), "ATD>%u;\r", memory);

    }



    at_len = MIN(at_len, sizeof(buf));



    bta_hf_client_send_at(BTA_HF_CLIENT_AT_ATD, buf, at_len);

}