ubports-volte/ofono-binder-plugin
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[ofono-binder] Fix memory allocation size for a string. JB#63068

Browse Source 
Used in AIDL interface. Incorrect size caused writing outside of allocated memory.
This commit is contained in:
Matti Lehtimäki
2025-01-24 14:42:47 +02:00
parent 0ad76c3528
commit fd57dda0ba
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/binder_sms.c
View File

@@ -642,11 +642,11 @@ binder_sms_gsm_message_aidl(
* interface expects an empty string for default SMSC.
*/
char* tpdu;
tpdu = g_malloc0(sizeof(char) * (tpdu_len * 2));
int smsc_len = pdu_len - tpdu_len;
gint32 initial_size;
/* PDU is sent as an ASCII hex string */
tpdu = g_malloc0(sizeof(char) * (tpdu_len * 2 + 1));
ofono_encode_hex(pdu + smsc_len, tpdu_len, tpdu);
DBG_(self, "%s", tpdu);
@@ -657,7 +657,7 @@ binder_sms_gsm_message_aidl(
gbinder_writer_append_int32(writer, -1);
gbinder_writer_append_string16_len(writer, (const char*) pdu, smsc_len);
gbinder_writer_append_string16_len(writer, tpdu, tpdu_len * 2);
gbinder_writer_append_string16_len(writer, tpdu, tpdu_len * 2 + 1);
/* Overwrite parcelable size */
gbinder_writer_overwrite_int32(writer, initial_size,