fix the packet buffer overflow by long digit(>32)

diff --git a/libvmodem/vgsm_call.h b/libvmodem/vgsm_call.h
index a544e1af2a99a120f6f8277c58f807a19c92adcb..f56c63435c126090d5b878bc8c234a5abc32641d 100644 (file)
--- a/libvmodem/vgsm_call.h
+++ b/libvmodem/vgsm_call.h
@@ -31,7 +31,7 @@
 #define _vgsm_call_h
 
 #define MAX_GSM_CALL_LIST_NUMBER 6 // ±âÁ¸¿¡´Â 6.
-#define MAX_GSM_DIALED_DIGITS_NUMBER 82 //±âÁ¸¿¡´Â 32.
+#define MAX_GSM_DIALED_DIGITS_NUMBER 32 //±âÁ¸¿¡´Â 32.
 #define MAX_BUF_LEN 256
 
 /* DIRECTION field */

diff --git a/packaging/vmodemd-emul.spec b/packaging/vmodemd-emul.spec
index 68b4e98ad1a698fed492bc9ab1c269baf3444394..d5ad19247e37dc5cfa4365adfb501d2be99f75d5 100644 (file)
--- a/packaging/vmodemd-emul.spec
+++ b/packaging/vmodemd-emul.spec
@@ -1,6 +1,6 @@
 #git:slp/pkgs/v/vmodem-daemon-emulator
 Name: vmodemd-emul
-Version: 0.2.44
+Version: 0.2.45
 Release: 1
 Summary: Modem Emulator
 Group: System/ModemEmulator

diff --git a/vmodem/server/server_rx_call.c b/vmodem/server/server_rx_call.c
index 3f62a1553137586f88ccd5c39b564aae19d66d47..6adb0fed327cb528b4986fb826bd5cd72de78066 100644 (file)
--- a/vmodem/server/server_rx_call.c
+++ b/vmodem/server/server_rx_call.c
@@ -149,8 +149,8 @@ int server_rx_call_originate_exec(void *ptr_data, int data_len )
        
        unsigned char data[MAX_GSM_DIALED_DIGITS_NUMBER+4];
 
-       if (num_len > MAX_GSM_DIALED_DIGITS_NUMBER)
-               num_len = MAX_GSM_DIALED_DIGITS_NUMBER;
+       if (num_len >= MAX_GSM_DIALED_DIGITS_NUMBER)
+               num_len = MAX_GSM_DIALED_DIGITS_NUMBER - 1;
 
        data[0] = call_id;
        data[1] = call_type;
@@ -165,6 +165,7 @@ int server_rx_call_originate_exec(void *ptr_data, int data_len )
 
        memset(&data[4], 0, MAX_GSM_DIALED_DIGITS_NUMBER);
        memcpy(&data[4], number, num_len);
+       data[4+num_len] = '\0';
 
        LXT_MESSAGE packet;
        TAPIMessageInit(&packet);

diff --git a/vmodem/server/server_tx_call.c b/vmodem/server/server_tx_call.c
index 8430fd6c61d27c13b6ac1b9a5bef594b23debdbc..a7bec18655e7c0d11341acec888c7b43781aa316 100644 (file)
--- a/vmodem/server/server_tx_call.c
+++ b/vmodem/server/server_tx_call.c
@@ -352,7 +352,7 @@ int server_tx_call_incoming_noti( LXT_MESSAGE * packet ) //
 {
        int num_len = 0, ret = 0, tmp = 0;
        char number[MAX_GSM_DIALED_DIGITS_NUMBER];
-       char *p, data[8 + MAX_GSM_DIALED_DIGITS_NUMBER];
+       char *p, data[MAX_GSM_DIALED_DIGITS_NUMBER*2];
        unsigned char ss_present_indi ;
        unsigned char ss_call_type ;
        unsigned char ss_no_cli_cause ;
@@ -415,12 +415,18 @@ int server_tx_call_incoming_noti( LXT_MESSAGE * packet ) //
        else
        {
                tmp = (int)p[3];
-               if(tmp < 0 || tmp > MAX_GSM_DIALED_DIGITS_NUMBER){
+               if(tmp < 0){
                        TRACE(MSGL_VGSM_INFO, "ERROR!! Invalid value of packet.data.\n");
+                       callback_callist();
                        return -1;
+               } else if ( tmp >= MAX_GSM_DIALED_DIGITS_NUMBER){
+                       TRACE(MSGL_VGSM_INFO, "The number is too long. It will be cut.\n");
+                       num_len = MAX_GSM_DIALED_DIGITS_NUMBER - 1;
+               } else {
+                       num_len = tmp;
                }
-               num_len = tmp;
                memcpy(number, &p[7], num_len);
+               number[num_len] = '\0';
                log_msg(MSGL_VGSM_INFO,"  call num len %d  \n", num_len);
                ss_present_indi = 0;
                ss_no_cli_cause = 0;
@@ -437,7 +443,7 @@ int server_tx_call_incoming_noti( LXT_MESSAGE * packet ) //
                for(i=0; i<resp_entry[0].count; i++) {
                        TRACE(MSGL_VGSM_INFO,"i : %d,  type : %d\n", i, resp_entry[i].type);
                        if(resp_entry[i].type == 4 && resp_entry[i].ss_mode == 3) { // 'All incoming calls' has set
-                               TRACE(MSGL_VGSM_INFO, "no call. Incoming Call Barring is set \n");
+                               TRACE(MSGL_VGSM_INFO, "Incoming Call Barring is set \n");
                                return -1;
                        }
                }