handsfree: Fix potential buffer overflow

Function: ag_features_list
 static const char *list[10];  (Out of bounds write, line 75)
  Incrementing i the value is now 10, for “hf-indicators”

Reported by: blanca.e.sabas.rosales@intel.com

diff --git a/src/handsfree.c b/src/handsfree.c
index 30ab7022613388bfcbbd1bff86ac577c1e1eb232..a97dee068e511e65cb0b18f9ea63687f1ace06df 100644 (file)
--- a/src/handsfree.c
+++ b/src/handsfree.c
@@ -72,7 +72,11 @@ struct ofono_handsfree {
 static const char **ag_features_list(unsigned int features,
                                        unsigned int chld_features)
 {
-       static const char *list[10];
+       /*
+        * BRSF response is a 32-bit unsigned int.  Only 32 entries are posible,
+        * and we do not ever report the presence of bit 8.
+        */
+       static const char *list[32];
        unsigned int i = 0;
 
        if (features & HFP_AG_FEATURE_3WAY)