From: Denis Kenzior <denkenz@gmail.com>
Date: Tue, 30 Jun 2015 21:58:36 +0000 (-0500)
Subject: handsfree: Fix potential buffer overflow
X-Git-Tag: upstream/1.17~24
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=fceb5a41c25a622755ce6235091354d044de769a;p=platform%2Fupstream%2Fofono.git

handsfree: Fix potential buffer overflow

Function: ag_features_list
 static const char *list[10];  (Out of bounds write, line 75)
  Incrementing i the value is now 10, for “hf-indicators”

Reported by: blanca.e.sabas.rosales@intel.com
---

diff --git a/src/handsfree.c b/src/handsfree.c
index 30ab7022..a97dee06 100644
--- a/src/handsfree.c
+++ b/src/handsfree.c
@@ -72,7 +72,11 @@ struct ofono_handsfree {
 static const char **ag_features_list(unsigned int features,
 					unsigned int chld_features)
 {
-	static const char *list[10];
+	/*
+	 * BRSF response is a 32-bit unsigned int.  Only 32 entries are posible,
+	 * and we do not ever report the presence of bit 8.
+	 */
+	static const char *list[32];
 	unsigned int i = 0;
 
 	if (features & HFP_AG_FEATURE_3WAY)