From 016319b5c8272e809a3b7dc188c4539796175264 Mon Sep 17 00:00:00 2001 From: Sooyoung Ha Date: Thu, 24 Jan 2013 16:41:44 +0900 Subject: [PATCH] [Title] add null check and fix untrusted value. [Desc.] modify vmodem/server/server_common_network.c, server_tx_network.c. --- packaging/vmodemd-emul.spec | 2 +- vmodem/server/server_common_network.c | 8 +++++++- vmodem/server/server_tx_network.c | 2 ++ 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/packaging/vmodemd-emul.spec b/packaging/vmodemd-emul.spec index ea48033..61fc1b7 100644 --- a/packaging/vmodemd-emul.spec +++ b/packaging/vmodemd-emul.spec @@ -1,6 +1,6 @@ #git:slp/pkgs/v/vmodem-daemon-emulator Name: vmodemd-emul -Version: 0.2.37 +Version: 0.2.38 Release: 1 Summary: Modem Emulator Group: System/ModemEmulator diff --git a/vmodem/server/server_common_network.c b/vmodem/server/server_common_network.c index f64faf7..23ed45c 100644 --- a/vmodem/server/server_common_network.c +++ b/vmodem/server/server_common_network.c @@ -148,6 +148,7 @@ void init_plmn_list(void) void set_plmn_list( unsigned char *data, int len ) { int i = 0, j = 1; + char tmp = 0x00; NetworkEntry entry = {0}; VGSM_DEBUG("\n"); @@ -165,7 +166,12 @@ void set_plmn_list( unsigned char *data, int len ) g_plmn_list.precord = 0; } - g_plmn_list.num_record = data[0]; + tmp = (char)data[0]; + if(tmp < 0x00 || tmp > 0x7f){ + VGSM_DEBUG("ERROR!! Invalid length value.\n"); + return; + } + g_plmn_list.num_record = tmp; g_plmn_list.precord = (gsm_network_plmn_record_t *)malloc(sizeof(gsm_network_plmn_record_t)*g_plmn_list.num_record); diff --git a/vmodem/server/server_tx_network.c b/vmodem/server/server_tx_network.c index 64a2682..7b02347 100644 --- a/vmodem/server/server_tx_network.c +++ b/vmodem/server/server_tx_network.c @@ -61,6 +61,8 @@ int server_tx_net_plmn_list_noti(LXT_MESSAGE const* packet) len = 1 + (tmp * 8); data = malloc(sizeof(unsigned char)*len); + if(data == NULL) + return -1; for(i=0; i