Check sanity the MNC length value from the SIM card

In case the SIM entry is wrong or we force reading of it, nasty things
like this can happen:

ofonod[12456]: Control:> AT+CRSM=176,28589,0,0,4\r
ofonod[12456]: Control:< +CRSM: 144,0,"00FFFF"\r\n\r\nOK\r\n
*** buffer overflow detected ***: ./src/ofonod terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x3e42efb417]
/lib64/libc.so.6[0x3e42ef9310]
/lib64/libc.so.6(__strncpy_chk+0x17b)[0x3e42ef85cb]

diff --git a/src/sim.c b/src/sim.c
index 17e38c5..2514e7b 100644 (file)
--- a/src/sim.c
+++ b/src/sim.c
@@ -871,6 +871,10 @@ static void sim_ad_read_cb(int ok, int length, int record,
 
        new_mnc_length = data[3] & 0xf;
 
+       /* sanity check for potential invalid values */
+       if (new_mnc_length < 2 || new_mnc_length > 3)
+               return;
+
        if (sim->mnc_length == new_mnc_length)
                return;