Merge pull request #46 from sailfishos/jb63008

Backport several security fixes from upstream

ofono/drivers/atmodem/sms.c

@@ -407,7 +407,7 @@ static void at_cmt_notify(GAtResult *result, gpointer user_data)
 	struct sms_data *data = ofono_sms_get_data(sms);
 	GAtResultIter iter;
 	const char *hexpdu;
-	unsigned char pdu[176];
+	unsigned char pdu[176] = {0};
 	long pdu_len;
 	int tpdu_len;
 
@@ -473,7 +473,7 @@ static void at_cmgr_notify(GAtResult *result, gpointer user_data)
 	struct sms_data *data = ofono_sms_get_data(sms);
 	GAtResultIter iter;
 	const char *hexpdu;
-	unsigned char pdu[176];
+	unsigned char pdu[176] = {0};
 	long pdu_len;
 	int tpdu_len;
 
@@ -655,7 +655,7 @@ static void at_cmgl_notify(GAtResult *result, gpointer user_data)
 	struct sms_data *data = ofono_sms_get_data(sms);
 	GAtResultIter iter;
 	const char *hexpdu;
-	unsigned char pdu[176];
+	unsigned char pdu[176] = {0};
 	long pdu_len;
 	int tpdu_len;
 	int index;

ofono/drivers/atmodem/ussd.c

@@ -105,7 +105,7 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
 	const char *content;
 	int dcs;
 	enum sms_charset charset;
-	unsigned char msg[160];
+	unsigned char msg[160] = {0};
 	const unsigned char *msg_ptr = NULL;
 	long msg_len;
 
@@ -123,6 +123,9 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
 	if (!g_at_result_iter_next_number(&iter, &dcs))
 		dcs = 0;
 
+	if (strlen(content) > sizeof(msg) * 2)
+		goto out;
+
 	if (!cbs_dcs_decode(dcs, NULL, NULL, &charset, NULL, NULL, NULL)) {
 		ofono_error("Unsupported USSD data coding scheme (%02x)", dcs);
 		status = 4; /* Not supported */

ofono/drivers/huaweimodem/ussd.c

@@ -50,7 +50,7 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
 	GAtResultIter iter;
 	int status, dcs;
 	const char *content;
-	unsigned char msg[160];
+	unsigned char msg[160] = {0};
 	const unsigned char *msg_ptr = NULL;
 	long msg_len;
 
@@ -68,6 +68,9 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
 	if (!g_at_result_iter_next_number(&iter, &dcs))
 		dcs = 0;
 
+	if (strlen(content) > sizeof(msg) * 2)
+		goto out;
+
 	msg_ptr = decode_hex_own_buf(content, -1, &msg_len, 0, msg);
 
 out:

ofono/drivers/speedupmodem/ussd.c

@@ -49,7 +49,7 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
 	GAtResultIter iter;
 	int status, dcs;
 	const char *content;
-	unsigned char msg[160];
+	unsigned char msg[160] = {0};
 	const unsigned char *msg_ptr = NULL;
 	long msg_len;
 
@@ -67,6 +67,9 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
 	if (!g_at_result_iter_next_number(&iter, &dcs))
 		dcs = 0;
 
+	if (strlen(content) > sizeof(msg) * 2)
+		goto out;
+
 	msg_ptr = decode_hex_own_buf(content, -1, &msg_len, 0, msg);
 
 out:

ofono/include/cell-info.h

@@ -23,14 +23,17 @@ extern "C" {
 #endif
 
 #include <ofono/types.h>
+#include <stdint.h>
 
 enum ofono_cell_type {
 	OFONO_CELL_TYPE_GSM,
 	OFONO_CELL_TYPE_WCDMA,
-	OFONO_CELL_TYPE_LTE
+	OFONO_CELL_TYPE_LTE,
+	OFONO_CELL_TYPE_NR /* Since 1.29+git8 */
 };
 
 #define OFONO_CELL_INVALID_VALUE (INT_MAX)
+#define OFONO_CELL_INVALID_VALUE_INT64 (INT64_MAX)
 
 struct ofono_cell_info_gsm {
 	int mcc;            /* Mobile Country Code (0..999) */
@@ -70,6 +73,22 @@ struct ofono_cell_info_lte {
 	int timingAdvance;  /* (Distance = 300m/us) TS 36.321 */
 };
 
+/* Since 1.29+git8 */
+struct ofono_cell_info_nr {
+	int mcc;            /* Mobile Country Code (0..999) */
+	int mnc;            /* Mobile Network Code (0..999) */
+	int64_t nci;        /* NR Cell Identity */
+	int pci;            /* Physical cell id (0..1007) */
+	int tac;            /* Tracking area code */
+	int nrarfcn;        /* 22-bit NR Absolute RC Channel Number */
+	int ssRsrp;         /* SS Reference Signal Receive Power TS 38.215 */
+	int ssRsrq;         /* SS Reference Signal Receive Quality TS 38.215 and 38.133 */
+	int ssSinr;         /* SS Reference Signal-to-Noise Ratio TS 38.215 and 38.133*/
+	int csiRsrp;        /* CSI Reference Signal Receive Power TS 38.215 */
+	int csiRsrq;        /* CSI Reference Signal Receive Quality TS 38.215 */
+	int csiSinr;        /* CSI Reference Signal-to-Noise Ratio TS 38.215 and 38.133 */
+};
+
 typedef struct ofono_cell {
 	enum ofono_cell_type type;
 	ofono_bool_t registered;
@@ -77,6 +96,7 @@ typedef struct ofono_cell {
 		struct ofono_cell_info_gsm gsm;
 		struct ofono_cell_info_wcdma wcdma;
 		struct ofono_cell_info_lte lte;
+		struct ofono_cell_info_nr nr; /* Since 1.29+git8 */
 	} info;
 } *ofono_cell_ptr;
 

ofono/include/radio-settings.h

@@ -34,6 +34,7 @@ enum ofono_radio_access_mode {
 	OFONO_RADIO_ACCESS_MODE_GSM	= 0x1,
 	OFONO_RADIO_ACCESS_MODE_UMTS	= 0x2,
 	OFONO_RADIO_ACCESS_MODE_LTE	= 0x4,
+	OFONO_RADIO_ACCESS_MODE_NR	= 0x8, /* Since 1.29+git8 */
 };
 
 enum ofono_radio_band_gsm {

ofono/include/types.h

@@ -57,7 +57,11 @@ enum ofono_access_technology {
 	OFONO_ACCESS_TECHNOLOGY_UTRAN_HSDPA_HSUPA = 6,
 	OFONO_ACCESS_TECHNOLOGY_EUTRAN = 7,
 	OFONO_ACCESS_TECHNOLOGY_NB_IOT_M1 = 8,
-	OFONO_ACCESS_TECHNOLOGY_NB_IOT_NB1 = 9
+	OFONO_ACCESS_TECHNOLOGY_NB_IOT_NB1 = 9,
+	OFONO_ACCESS_TECHNOLOGY_EUTRA_5GCN = 10, /* Since 1.29+git8 */
+	OFONO_ACCESS_TECHNOLOGY_NR_5GCN = 11, /* Since 1.29+git8 */
+	OFONO_ACCESS_TECHNOLOGY_NG_RAN = 12, /* Since 1.29+git8 */
+	OFONO_ACCESS_TECHNOLOGY_EUTRA_NR = 13, /* Since 1.29+git8 */
 };
 
 /* 27.007 Section 6.2 */

ofono/plugins/hfp_ag_bluez5.c

@@ -2,6 +2,7 @@
  *  oFono - Open Source Telephony
  *
  *  Copyright (C) 2011  Intel Corporation. All rights reserved.
+ *  Copyright (C) 2018-2022  Jolla Ltd. All rights reserved.
  *
  *  This program is free software; you can redistribute it and/or modify
  *  it under the terms of the GNU General Public License version 2 as
@@ -52,6 +53,11 @@ typedef struct GAtResult GAtResult;
 
 #define HFP_AG_DRIVER		"hfp-ag-driver"
 
+struct watch_fd {
+    guint id;
+    int fd;
+};
+
 static gboolean hfp_ag_enabled;
 static guint service_watch_id;
 static guint modemwatch_id;
@@ -145,11 +151,12 @@ static struct ofono_handsfree_card_driver hfp_ag_driver = {
 
 static void connection_destroy(gpointer data)
 {
-	int fd = GPOINTER_TO_INT(data);
+	struct watch_fd *watch = data;
 
-	DBG("fd %d", fd);
+	DBG("fd %d", watch->fd);
 
-	close(fd);
+	g_source_remove(watch->id);
+	g_free(watch);
 }
 
 static gboolean io_hup_cb(GIOChannel *io, GIOCondition cond, gpointer data)
@@ -169,7 +176,8 @@ static DBusMessage *profile_new_connection(DBusConnection *conn,
 	DBusMessageIter entry;
 	const char *device;
 	GIOChannel *io;
-	int fd, fd_dup;
+	int fd;
+	struct watch_fd *watch;
 	struct sockaddr_rc saddr;
 	socklen_t optlen;
 	struct ofono_emulator *em;
@@ -252,10 +260,12 @@ static DBusMessage *profile_new_connection(DBusConnection *conn,
 	emulator = em;
 	ofono_emulator_register(em, fd);
 
-	fd_dup = dup(fd);
-	io = g_io_channel_unix_new(fd_dup);
-	g_io_add_watch_full(io, G_PRIORITY_DEFAULT, G_IO_HUP, io_hup_cb,
-						g_strdup(device), g_free);
+	watch = g_new(struct watch_fd, 1);
+	watch->fd = dup(fd);
+	io = g_io_channel_unix_new(watch->fd);
+	g_io_channel_set_close_on_unref(io, TRUE);
+        watch->id = g_io_add_watch_full(io, G_PRIORITY_DEFAULT, G_IO_HUP,
+					io_hup_cb, g_strdup(device), g_free);
 	g_io_channel_unref(io);
 
 	card = ofono_handsfree_card_create(0,
@@ -269,8 +279,7 @@ static DBusMessage *profile_new_connection(DBusConnection *conn,
 
 	ofono_emulator_set_handsfree_card(em, card);
 
-	g_hash_table_insert(connection_hash, g_strdup(device),
-						GINT_TO_POINTER(fd_dup));
+	g_hash_table_insert(connection_hash, g_strdup(device), watch);
 
 	return dbus_message_new_method_return(msg);
 
@@ -304,7 +313,7 @@ static DBusMessage *profile_disconnection(DBusConnection *conn,
 {
 	DBusMessageIter iter;
 	const char *device;
-	gpointer fd;
+	struct watch_fd *watch;
 
 	DBG("Profile handler RequestDisconnection");
 
@@ -318,11 +327,11 @@ static DBusMessage *profile_disconnection(DBusConnection *conn,
 
 	DBG("%s", device);
 
-	fd = g_hash_table_lookup(connection_hash, device);
-	if (fd == NULL)
+	watch = g_hash_table_lookup(connection_hash, device);
+	if (watch == NULL)
 		goto invalid;
 
-	shutdown(GPOINTER_TO_INT(fd), SHUT_RDWR);
+	shutdown(watch->fd, SHUT_RDWR);
 
 	g_hash_table_remove(connection_hash, device);
 

ofono/src/cbs.c

@@ -771,7 +771,7 @@ static void sim_cbmi_read_cb(int ok, int length, int record,
 
 		mi = (data[i] << 8) + data[i+1];
 
-		if (mi > 999)
+		if (mi > CBS_MAX_TOPIC)
 			continue;
 
 		range = g_new0(struct cbs_topic_range, 1);
@@ -818,7 +818,7 @@ static void sim_cbmir_read_cb(int ok, int length, int record,
 		min = (data[i] << 8) + data[i+1];
 		max = (data[i+2] << 8) + data[i+3];
 
-		if (min > 999 || max > 999 || min > max)
+		if (min > CBS_MAX_TOPIC || max > CBS_MAX_TOPIC || min > max)
 			continue;
 
 		range = g_new0(struct cbs_topic_range, 1);

ofono/src/cell-info-dbus.c

@@ -57,14 +57,19 @@ struct cell_property {
 	const char *name;
 	glong off;
 	int flag;
+	int type;
 };
 
 #define CELL_GSM_PROPERTY(value,name) \
-	{ #name, G_STRUCT_OFFSET(struct ofono_cell_info_gsm,name), value }
+	{ #name, G_STRUCT_OFFSET(struct ofono_cell_info_gsm,name), value, DBUS_TYPE_INT32 }
 #define CELL_WCDMA_PROPERTY(value,name) \
-	{ #name, G_STRUCT_OFFSET(struct ofono_cell_info_wcdma,name), value }
+	{ #name, G_STRUCT_OFFSET(struct ofono_cell_info_wcdma,name), value, DBUS_TYPE_INT32 }
 #define CELL_LTE_PROPERTY(value,name) \
-	{ #name, G_STRUCT_OFFSET(struct ofono_cell_info_lte,name), value }
+	{ #name, G_STRUCT_OFFSET(struct ofono_cell_info_lte,name), value, DBUS_TYPE_INT32 }
+#define CELL_NR_PROPERTY(value,name) \
+	{ #name, G_STRUCT_OFFSET(struct ofono_cell_info_nr,name), value, DBUS_TYPE_INT32 }
+#define CELL_NR_PROPERTY64(value,name) \
+	{ #name, G_STRUCT_OFFSET(struct ofono_cell_info_nr,name), value, DBUS_TYPE_INT64 }
 
 static const struct cell_property cell_gsm_properties [] = {
 	CELL_GSM_PROPERTY(0x001,mcc),
@@ -104,6 +109,21 @@ static const struct cell_property cell_lte_properties [] = {
 	CELL_LTE_PROPERTY(0x800,timingAdvance)
 };
 
+static const struct cell_property cell_nr_properties [] = {
+	CELL_NR_PROPERTY(0x001,mcc),
+	CELL_NR_PROPERTY(0x002,mnc),
+	CELL_NR_PROPERTY64(0x004,nci),
+	CELL_NR_PROPERTY(0x008,pci),
+	CELL_NR_PROPERTY(0x010,tac),
+	CELL_NR_PROPERTY(0x020,nrarfcn),
+	CELL_NR_PROPERTY(0x040,ssRsrp),
+	CELL_NR_PROPERTY(0x080,ssRsrq),
+	CELL_NR_PROPERTY(0x100,ssSinr),
+	CELL_NR_PROPERTY(0x200,csiRsrp),
+	CELL_NR_PROPERTY(0x400,csiRsrq),
+	CELL_NR_PROPERTY(0x800,csiSinr),
+};
+
 #define CELL_PROPERTY_REGISTERED 0x1000
 
 typedef void (*cell_info_dbus_append_fn)(DBusMessageIter *it,
@@ -124,6 +144,8 @@ static const char *cell_info_dbus_cell_type_str(enum ofono_cell_type type)
 		return "wcdma";
 	case OFONO_CELL_TYPE_LTE:
 		return "lte";
+	case OFONO_CELL_TYPE_NR:
+		return "nr";
 	default:
 		return "unknown";
 	}
@@ -142,6 +164,9 @@ static const struct cell_property *cell_info_dbus_cell_properties
 	case OFONO_CELL_TYPE_LTE:
 		*count = G_N_ELEMENTS(cell_lte_properties);
 		return cell_lte_properties;
+	case OFONO_CELL_TYPE_NR:
+		*count = G_N_ELEMENTS(cell_nr_properties);
+		return cell_nr_properties;
 	default:
 		*count = 0;
 		return NULL;
@@ -202,10 +227,18 @@ static void cell_info_dbus_append_properties(DBusMessageIter *it,
 
 	dbus_message_iter_open_container(it, DBUS_TYPE_ARRAY, "{sv}", &dict);
 	for (i = 0; i < n; i++) {
-		gint32 value = G_STRUCT_MEMBER(int, &cell->info, prop[i].off);
-		if (value != OFONO_CELL_INVALID_VALUE) {
-			ofono_dbus_dict_append(&dict, prop[i].name,
-				DBUS_TYPE_INT32, &value);
+		if (prop[i].type == DBUS_TYPE_INT64) {
+			gint64 value = G_STRUCT_MEMBER(gint64, &cell->info, prop[i].off);
+			if (value != OFONO_CELL_INVALID_VALUE_INT64) {
+				ofono_dbus_dict_append(&dict, prop[i].name,
+					DBUS_TYPE_INT64, &value);
+			}
+		} else {
+			gint32 value = G_STRUCT_MEMBER(int, &cell->info, prop[i].off);
+			if (value != OFONO_CELL_INVALID_VALUE) {
+				ofono_dbus_dict_append(&dict, prop[i].name,
+					DBUS_TYPE_INT32, &value);
+			}
 		}
 	}
 	dbus_message_iter_close_container(it, &dict);
@@ -375,11 +408,20 @@ static int cell_info_dbus_compare(const struct ofono_cell *c1,
 
 		for (i = 0; i < n; i++) {
 			const glong offset = prop[i].off;
-			gint32 v1 = G_STRUCT_MEMBER(int, &c1->info, offset);
-			gint32 v2 = G_STRUCT_MEMBER(int, &c2->info, offset);
+			if (prop[i].type == DBUS_TYPE_INT64) {
+				gint64 v1 = G_STRUCT_MEMBER(gint64, &c1->info, offset);
+				gint64 v2 = G_STRUCT_MEMBER(gint64, &c2->info, offset);
 
-			if (v1 != v2) {
-				mask |= prop[i].flag;
+				if (v1 != v2) {
+					mask |= prop[i].flag;
+				}
+			} else  {
+				gint32 v1 = G_STRUCT_MEMBER(int, &c1->info, offset);
+				gint32 v2 = G_STRUCT_MEMBER(int, &c2->info, offset);
+
+				if (v1 != v2) {
+					mask |= prop[i].flag;
+				}
 			}
 		}
 
@@ -427,7 +469,7 @@ static void cell_info_dbus_property_changed(CellInfoDBus *dbus,
 			ofono_dbus_clients_signal_property_changed(
 				dbus->clients, entry->path,
 				CELL_DBUS_INTERFACE, prop[i].name,
-				DBUS_TYPE_INT32,
+				prop[i].type,
 				G_STRUCT_MEMBER_P(&cell->info, prop[i].off));
 			mask &= ~prop[i].flag;
 		}

ofono/src/cell-info.c

@@ -70,6 +70,23 @@ int ofono_cell_compare_location(const struct ofono_cell *c1,
 			} else {
 				return l1->tac - l2->tac;
 			}
+		} else if (c1->type == OFONO_CELL_TYPE_NR) {
+			const struct ofono_cell_info_nr *n1 =
+				&c1->info.nr;
+			const struct ofono_cell_info_nr *n2 =
+				&c2->info.nr;
+
+			if (n1->mcc != n2->mcc) {
+				return n1->mcc - n2->mcc;
+			} else if (n1->mnc != n2->mnc) {
+				return n1->mnc - n2->mnc;
+			} else if (n1->nci != n2->nci) {
+				return n1->nci - n2->nci;
+			} else if (n1->pci != n2->pci) {
+				return n1->pci - n2->pci;
+			} else {
+				return n1->tac - n2->tac;
+			}
 		} else {
 			ofono_warn("Unexpected cell type");
 			return 0;

ofono/src/common.c

@@ -710,6 +710,12 @@ const char *registration_tech_to_string(enum ofono_access_technology tech)
 		return "lte-cat-m1";
 	case ACCESS_TECHNOLOGY_NB_IOT_NB1:
 		return "lte-cat-nb1";
+	case ACCESS_TECHNOLOGY_EUTRA_5GCN:
+		return "lte";
+	case ACCESS_TECHNOLOGY_NR_5GCN:
+	case ACCESS_TECHNOLOGY_NG_RAN:
+	case ACCESS_TECHNOLOGY_EUTRA_NR:
+		return "nr";
 	case OFONO_ACCESS_TECHNOLOGY_NONE:
 		break;
 	default:

ofono/src/common.h

@@ -46,6 +46,14 @@
   OFONO_ACCESS_TECHNOLOGY_NB_IOT_M1 /* 8 */
 #define ACCESS_TECHNOLOGY_NB_IOT_NB1 \
   OFONO_ACCESS_TECHNOLOGY_NB_IOT_NB1 /* 9 */
+#define ACCESS_TECHNOLOGY_EUTRA_5GCN \
+  OFONO_ACCESS_TECHNOLOGY_EUTRA_5GCN /* 10 */
+#define ACCESS_TECHNOLOGY_NR_5GCN \
+  OFONO_ACCESS_TECHNOLOGY_NR_5GCN /* 11 */
+#define ACCESS_TECHNOLOGY_NG_RAN \
+  OFONO_ACCESS_TECHNOLOGY_NG_RAN /* 12 */
+#define ACCESS_TECHNOLOGY_EUTRA_NR \
+  OFONO_ACCESS_TECHNOLOGY_EUTRA_NR /* 13 */
 
 /* 27.007 Section 7.2 <stat> */
 #define NETWORK_REGISTRATION_STATUS_NOT_REGISTERED \

ofono/src/conf.c

@@ -1,7 +1,7 @@
 /*
  *  oFono - Open Source Telephony
  *
- *  Copyright (C) 2015-2021 Jolla Ltd.
+ *  Copyright (C) 2015-2022 Jolla Ltd.
  *  Copyright (C) 2019 Open Mobile Platform LLC.
  *
  *  This program is free software; you can redistribute it and/or modify
@@ -243,6 +243,7 @@ static void conf_merge_group(GKeyFile *conf, GKeyFile *k, const char *group)
 						group, key, &count, NULL);
 
 				key[len-1] = 0;
+				g_strchomp(key); /* Strip spaces before + */
 				conf_list_append(conf, k, group, key,
 						values, count, last == '?');
 				g_strfreev(values);
@@ -252,6 +253,7 @@ static void conf_merge_group(GKeyFile *conf, GKeyFile *k, const char *group)
 						group, key, &count, NULL);
 
 				key[len-1] = 0;
+				g_strchomp(key); /* Strip spaces before - */
 				conf_list_remove(conf, k, group, key,
 							values, count);
 				g_strfreev(values);
@@ -531,13 +533,16 @@ gboolean ofono_conf_get_mask(GKeyFile *file, const char *group,
 		char **values, **ptr;
 
 		if (comment) *comment = 0;
-		values = g_strsplit(str, "+", -1);
+		values = g_strsplit_set(str, "+,", -1);
 
 		for (ok = TRUE, ptr = values; *ptr && ok; ptr++) {
 			const char* found_str = NULL;
 			const char* s = g_strstrip(*ptr);
 
-			if (!strcasecmp(s, name)) {
+			if (!s[0]) {
+				/* Ignore empty entries */
+				continue;
+			} else if (!strcasecmp(s, name)) {
 				found_str = name;
 				if (result) {
 					*result |= value;

ofono/src/ims.c

@@ -262,8 +262,7 @@ static void ims_registration_check(struct ofono_ims *ims)
 		/* Any state is acceptable */
 		DBG("ims is enabled, no action needed");
 		return;
-	case IMS_REG_DEFAULT:
-		/* IMS_REG_AUTO */
+	case IMS_REG_AUTO:
 		break;
 	}
 

ofono/src/radio-settings.c

@@ -65,7 +65,9 @@ struct ofono_radio_settings {
 enum ofono_radio_access_mode ofono_radio_access_max_mode(
 					enum ofono_radio_access_mode mask)
 {
-	return	(mask & OFONO_RADIO_ACCESS_MODE_LTE) ?
+	return	(mask & OFONO_RADIO_ACCESS_MODE_NR) ?
+					OFONO_RADIO_ACCESS_MODE_NR :
+		(mask & OFONO_RADIO_ACCESS_MODE_LTE) ?
 					OFONO_RADIO_ACCESS_MODE_LTE :
 		(mask & OFONO_RADIO_ACCESS_MODE_UMTS) ?
 					OFONO_RADIO_ACCESS_MODE_UMTS :
@@ -86,6 +88,8 @@ const char *ofono_radio_access_mode_to_string(enum ofono_radio_access_mode m)
 		return "umts";
 	case OFONO_RADIO_ACCESS_MODE_LTE:
 		return "lte";
+	case OFONO_RADIO_ACCESS_MODE_NR:
+		return "nr";
 	default:
 		return NULL;
 	}
@@ -110,6 +114,9 @@ ofono_bool_t ofono_radio_access_mode_from_string(const char *str,
 	} else if (g_str_equal(str, "lte")) {
 		*mode = OFONO_RADIO_ACCESS_MODE_LTE;
 		return TRUE;
+	} else if (g_str_equal(str, "nr")) {
+		*mode = OFONO_RADIO_ACCESS_MODE_NR;
+		return TRUE;
 	}
 
 	return FALSE;
@@ -438,7 +445,7 @@ static void radio_available_rats_query_callback(const struct ofono_error *error,
 	struct ofono_radio_settings *rs = data;
 
 	if (error->type == OFONO_ERROR_TYPE_NO_ERROR)
-		rs->available_rats = available_rats & 0x7;
+		rs->available_rats = available_rats & 0xF;
 	else
 		DBG("Error while querying available rats");
 

ofono/src/smsutil.c

@@ -628,6 +628,10 @@ gboolean sms_decode_address_field(const unsigned char *pdu, int len,
 	if (!next_octet(pdu, len, offset, &addr_len))
 		return FALSE;
 
+	/* According to 23.040 9.1.2.5 Address-Length must not exceed 20 */
+	if (addr_len > 20)
+		return FALSE;
+
 	if (sc && addr_len == 0) {
 		out->address[0] = '\0';
 		return TRUE;
@@ -779,6 +783,9 @@ static gboolean decode_deliver(const unsigned char *pdu, int len,
 
 	expected = sms_udl_in_bytes(out->deliver.udl, out->deliver.dcs);
 
+	if (expected < 0 || expected > (int)sizeof(out->deliver.ud))
+		return FALSE;
+
 	if ((len - offset) < expected)
 		return FALSE;
 
@@ -941,10 +948,16 @@ static gboolean decode_submit_report(const unsigned char *pdu, int len,
 			return FALSE;
 
 		if (out->type == SMS_TYPE_SUBMIT_REPORT_ERROR) {
+			if (expected > (int) sizeof(out->submit_err_report.ud))
+				return FALSE;
+
 			out->submit_err_report.udl = udl;
 			memcpy(out->submit_err_report.ud,
 					pdu + offset, expected);
 		} else {
+			if (expected > (int) sizeof(out->submit_ack_report.ud))
+				return FALSE;
+
 			out->submit_ack_report.udl = udl;
 			memcpy(out->submit_ack_report.ud,
 					pdu + offset, expected);
@@ -1077,6 +1090,9 @@ static gboolean decode_status_report(const unsigned char *pdu, int len,
 		if ((len - offset) < expected)
 			return FALSE;
 
+		if (expected > (int)sizeof(out->status_report.ud))
+			return FALSE;
+
 		memcpy(out->status_report.ud, pdu + offset, expected);
 	}
 
@@ -1226,10 +1242,16 @@ static gboolean decode_deliver_report(const unsigned char *pdu, int len,
 			return FALSE;
 
 		if (out->type == SMS_TYPE_DELIVER_REPORT_ERROR) {
+			if (expected > (int) sizeof(out->deliver_err_report.ud))
+				return FALSE;
+
 			out->deliver_err_report.udl = udl;
 			memcpy(out->deliver_err_report.ud,
 					pdu + offset, expected);
 		} else {
+			if (expected > (int) sizeof(out->deliver_ack_report.ud))
+				return FALSE;
+
 			out->deliver_ack_report.udl = udl;
 			memcpy(out->deliver_ack_report.ud,
 					pdu + offset, expected);
@@ -1464,6 +1486,9 @@ static gboolean decode_command(const unsigned char *pdu, int len,
 	if ((len - offset) < out->command.cdl)
 		return FALSE;
 
+	if (out->command.cdl > sizeof(out->command.cd))
+		return FALSE;
+
 	memcpy(out->command.cd, pdu + offset, out->command.cdl);
 
 	return TRUE;
@@ -4593,13 +4618,11 @@ out:
 GSList *cbs_optimize_ranges(GSList *ranges)
 {
 	struct cbs_topic_range *range;
-	unsigned char bitmap[125];
+	unsigned char *bitmap = g_malloc0(CBS_MAX_TOPIC / 8 + 1);
 	GSList *l;
 	unsigned short i;
 	GSList *ret = NULL;
 
-	memset(bitmap, 0, sizeof(bitmap));
-
 	for (l = ranges; l; l = l->next) {
 		range = l->data;
 
@@ -4613,7 +4636,7 @@ GSList *cbs_optimize_ranges(GSList *ranges)
 
 	range = NULL;
 
-	for (i = 0; i <= 999; i++) {
+	for (i = 0; i <= CBS_MAX_TOPIC; i++) {
 		int byte_offset = i / 8;
 		int bit = i % 8;
 
@@ -4641,6 +4664,7 @@ GSList *cbs_optimize_ranges(GSList *ranges)
 
 	ret = g_slist_reverse(ret);
 
+	g_free(bitmap);
 	return ret;
 }
 
@@ -4653,10 +4677,10 @@ GSList *cbs_extract_topic_ranges(const char *ranges)
 	GSList *tmp;
 
 	while (next_range(ranges, &offset, &min, &max) == TRUE) {
-		if (min < 0 || min > 999)
+		if (min < 0 || min > CBS_MAX_TOPIC)
 			return NULL;
 
-		if (max < 0 || max > 999)
+		if (max < 0 || max > CBS_MAX_TOPIC)
 			return NULL;
 
 		if (max < min)

ofono/src/smsutil.h

@@ -23,6 +23,7 @@
 #include <ofono/types.h>
 
 #define CBS_MAX_GSM_CHARS 93
+#define CBS_MAX_TOPIC 9999
 #define SMS_MSGID_LEN 20
 
 enum sms_type {

ofono/src/stkutil.c

@@ -1816,6 +1816,10 @@ static bool parse_dataobj_frame_layout(struct comprehension_tlv_iter *iter,
 
 	fl->layout = data[0];
 	fl->len = len - 1;
+
+	if (fl->len > sizeof(fl->size))
+		return false;
+
 	memcpy(fl->size, data + 1, fl->len);
 
 	return true;
@@ -1909,6 +1913,10 @@ static bool parse_dataobj_mms_reference(struct comprehension_tlv_iter *iter,
 
 	data = comprehension_tlv_iter_get_data(iter);
 	mr->len = len;
+
+	if (len > sizeof(mr->ref))
+		return false;
+
 	memcpy(mr->ref, data, len);
 
 	return true;
@@ -1927,6 +1935,10 @@ static bool parse_dataobj_mms_id(struct comprehension_tlv_iter *iter,
 
 	data = comprehension_tlv_iter_get_data(iter);
 	mi->len = len;
+
+	if (len > sizeof(mi->id))
+		return false;
+
 	memcpy(mi->id, data, len);
 
 	return true;
@@ -1963,6 +1975,10 @@ static bool parse_dataobj_mms_content_id(
 
 	data = comprehension_tlv_iter_get_data(iter);
 	mci->len = len;
+
+	if (len > sizeof(mci->id))
+		return false;
+
 	memcpy(mci->id, data, len);
 
 	return true;

ofono/src/voicecall.c

@@ -2665,9 +2665,9 @@ void ofono_voicecall_disconnected(struct ofono_voicecall *vc, int id,
 	if (l) {
 		/* Incoming call was disconnected in the process of being
 		 * filtered. voicecall_destroy cancels it. */
+		voicecall_destroy(l->data);
 		vc->incoming_filter_list = g_slist_delete_link
 					(vc->incoming_filter_list, l);
-		voicecall_destroy(l->data);
 		return;
 	}
 

ofono/test/test-cbs

@@ -92,9 +92,9 @@ def set_topics(cbs):
 			break
 
 		if topicTemp:
-			if int(topicTemp) > 999:
+			if int(topicTemp) > 9999:
 				invalidData = True
-				print("Invalid Topic ID %s (range 0-999). \
+				print("Invalid Topic ID %s (range 0-9999). \
 					\nCould not register." % topicTemp)
 
 		index = index + 1

ofono/unit/test-cell-info-dbus.c

@@ -318,6 +318,28 @@ static struct ofono_cell *test_cell_init_lte(struct ofono_cell *cell)
 	return cell;
 }
 
+static struct ofono_cell *test_cell_init_nr(struct ofono_cell *cell)
+{
+	struct ofono_cell_info_nr *nr = &cell->info.nr;
+
+	memset(cell, 0, sizeof(*cell));
+	cell->type = OFONO_CELL_TYPE_NR;
+	cell->registered = TRUE;
+	nr->mcc = 244;
+	nr->mnc = 91;
+	nr->nci = 36591883;
+	nr->pci = 309;
+	nr->tac = 4030;
+	nr->nrarfcn = INT_MAX;
+	nr->ssRsrp = 106;
+	nr->ssRsrq = 6;
+	nr->ssSinr = INT_MAX;
+	nr->csiRsrp = 106;
+	nr->csiRsrq = 6;
+	nr->csiSinr = INT_MAX;
+	return cell;
+}
+
 /* ==== Misc ==== */
 
 static void test_misc(void)
@@ -540,6 +562,13 @@ static void test_get_all4(void)
 {
 	struct ofono_cell cell;
 
+	test_get_all(test_cell_init_nr(&cell), "nr");
+}
+
+static void test_get_all5(void)
+{
+	struct ofono_cell cell;
+
 	/* Invalid cell */
 	memset(&cell, 0xff, sizeof(cell));
 	test_get_all(&cell, "unknown");
@@ -1145,6 +1174,7 @@ int main(int argc, char *argv[])
 	g_test_add_func(TEST_("GetAll2"), test_get_all2);
 	g_test_add_func(TEST_("GetAll3"), test_get_all3);
 	g_test_add_func(TEST_("GetAll4"), test_get_all4);
+	g_test_add_func(TEST_("GetAll5"), test_get_all5);
 	g_test_add_func(TEST_("GetInterfaceVersion"), test_get_version);
 	g_test_add_func(TEST_("GetType"), test_get_type);
 	g_test_add_func(TEST_("GetRegistered"), test_get_registered);

ofono/unit/test-cell-info.c

@@ -226,6 +226,35 @@ static void test_compare(void)
 	c2 = c1; c2.info.lte.timingAdvance++;
 	g_assert(!ofono_cell_compare_location(&c1, &c2));
 
+	/* NR */
+	c1.type = OFONO_CELL_TYPE_NR;
+	c2 = c1;
+	g_assert(!ofono_cell_compare_location(&c1, &c2));
+	c2 = c1; c2.info.nr.mcc++;
+	g_assert(ofono_cell_compare_location(&c1, &c2) < 0);
+	c2 = c1; c2.info.nr.mnc++;
+	g_assert(ofono_cell_compare_location(&c1, &c2) < 0);
+	c2 = c1; c2.info.nr.nci++;
+	g_assert(ofono_cell_compare_location(&c1, &c2) < 0);
+	c2 = c1; c2.info.nr.pci++;
+	g_assert(ofono_cell_compare_location(&c1, &c2) < 0);
+	c2 = c1; c2.info.nr.tac++;
+	g_assert(ofono_cell_compare_location(&c1, &c2) < 0);
+	/* Other attributes are not being compared */
+	c2 = c1; c2.info.nr.nrarfcn++;
+	g_assert(!ofono_cell_compare_location(&c1, &c2));
+	c2 = c1; c2.info.nr.ssRsrp++;
+	g_assert(!ofono_cell_compare_location(&c1, &c2));
+	c2 = c1; c2.info.nr.ssRsrq++;
+	g_assert(!ofono_cell_compare_location(&c1, &c2));
+	c2 = c1; c2.info.nr.ssSinr++;
+	g_assert(!ofono_cell_compare_location(&c1, &c2));
+	c2 = c1; c2.info.nr.csiRsrp++;
+	g_assert(!ofono_cell_compare_location(&c1, &c2));
+	c2 = c1; c2.info.nr.csiRsrq++;
+	g_assert(!ofono_cell_compare_location(&c1, &c2));
+	c2 = c1; c2.info.nr.csiSinr++;
+	g_assert(!ofono_cell_compare_location(&c1, &c2));
 	/* Unknown type */
 	c1.type = c2.type = (enum ofono_cell_type)-1;
 	g_assert(!ofono_cell_compare_location(&c1, &c2));

ofono/unit/test-conf.c

@@ -75,6 +75,7 @@ static void test_merge1(const char *conf, const char *conf1, const char *out)
 	char *file1 = g_strconcat(subdir, "/bar.conf", NULL);
 	GKeyFile *k = g_key_file_new();
 	char *data;
+	char *out_stripped = g_strstrip(g_strdup(out));
 
 	g_assert(!mkdir(subdir, 0700));
 	g_assert(g_file_set_contents(file, conf, -1, NULL));
@@ -84,8 +85,9 @@ static void test_merge1(const char *conf, const char *conf1, const char *out)
 	g_key_file_set_list_separator(k, ',');
 	ofono_conf_merge_files(k, file);
 	data = g_key_file_to_data(k, NULL, NULL);
+	g_strstrip(data);
 	DBG("\n%s", data);
-	g_assert(!g_strcmp0(data, out));
+	g_assert(!g_strcmp0(data, out_stripped));
 	g_free(data);
 	g_key_file_unref(k);
 
@@ -94,6 +96,7 @@ static void test_merge1(const char *conf, const char *conf1, const char *out)
 	remove(subdir);
 	remove(dir);
 
+	g_free(out_stripped);
 	g_free(file);
 	g_free(file1);
 	g_free(dir);

ofono/unit/test-sms.c

@@ -1589,7 +1589,7 @@ static void test_cbs_padding_character(void)
 static const char *ranges[] = { "1-5, 2, 3, 600, 569-900, 999",
 				"0-20, 33, 44, 50-60, 20-50, 1-5, 5, 3, 5",
 				NULL };
-static const char *inv_ranges[] = { "1-5, 3333", "1-5, afbcd", "1-5, 3-5,,",
+static const char *inv_ranges[] = { "1-5, 33333", "1-5, afbcd", "1-5, 3-5,,",
 					"1-5, 3-5, c", NULL };
 
 static void test_range_minimizer(void)

rpm/ofono.spec

@@ -22,7 +22,7 @@ BuildRequires: pkgconfig(rpm)
 Requires:   dbus
 Requires:   systemd
 Requires:   libglibutil >= %{libglibutil_version}
-%{recommend}: mobile-broadband-provider-info
+Requires:   mobile-broadband-provider-info
 %{recommend}: ofono-configs
 Requires(preun): systemd
 Requires(post): systemd