From: Szymon Janc <szymon.janc@xxxxxxxxx>
Copy command to IPC buffer only after checking string size.
---
android/handsfree.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/android/handsfree.c b/android/handsfree.c
index 4af2a89..ba798ee 100644
--- a/android/handsfree.c
+++ b/android/handsfree.c
@@ -319,13 +319,14 @@ static void at_cmd_unknown(const char *command, void *user_data)
/* copy while string including terminating NULL */
ev->len = strlen(command) + 1;
- memcpy(ev->buf, command, ev->len);
if (ev->len > IPC_MTU - sizeof(*ev)) {
hfp_gw_send_result(dev->gw, HFP_RESULT_ERROR);
return;
}
+ memcpy(ev->buf, command, ev->len);
+
ipc_send_notif(hal_ipc, HAL_SERVICE_ID_HANDSFREE,
HAL_EV_HANDSFREE_UNKNOWN_AT, sizeof(*ev) + ev->len, ev);
}
--
2.2.0.rc0.207.ga3a616c
--
To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
