From 06c14e94915f3bfe5c377b389f4bfebafd8d71f7 Mon Sep 17 00:00:00 2001
From: Sooyoung Ha <yoosah.ha@samsung.com>
Date: Sat, 12 Jan 2013 17:57:37 +0900
Subject: [PATCH] [Title] fix risky codes. [Desc.] modify
 lib/libsms/sms_tool.c, vmodem/db/db_ss.c, vmodem/server/client.c,
 server_common_network.c, server_common_security.c, server_common_ss.c

---
 lib/libsms/sms_tool.c                  | 2 +-
 vmodem/db/db_ss.c                      | 4 ++--
 vmodem/server/client.c                 | 4 ++++
 vmodem/server/server_common_network.c  | 6 +++---
 vmodem/server/server_common_security.c | 4 +++-
 vmodem/server/server_common_ss.c       | 8 ++++++++
 6 files changed, 21 insertions(+), 7 deletions(-)

diff --git a/lib/libsms/sms_tool.c b/lib/libsms/sms_tool.c
index b3c2dd5..69ad949 100644
--- a/lib/libsms/sms_tool.c
+++ b/lib/libsms/sms_tool.c
@@ -723,7 +723,7 @@ int DecodeSmsSubmitTpdu(TPDU_SMS_SUBMIT *tpdu_submit, int pdu_len , char * pPDU,
 	BYTE    tmp_buff[BUFF_SIZE];
 	int size, udhl = 0;
 	int i = 0, fillbits = 0;
-	size_t limit_len = TAPI_NETTEXT_SCADDRESS_LEN_MAX + 1;
+	size_t limit_len = TAPI_NETTEXT_SCADDRESS_LEN_MAX;
 	position=0;
 
 	/* SCA_ADDR */
diff --git a/vmodem/db/db_ss.c b/vmodem/db/db_ss.c
index bc0f524..38f7860 100644
--- a/vmodem/db/db_ss.c
+++ b/vmodem/db/db_ss.c
@@ -1148,7 +1148,7 @@ int send_call_barring_entry(call_barring_entry_t* entry)
 call_barring_entry_t *  find_call_barring_entry(int tel_class, int type)
 {
 	int i, status = SS_MODE_DEACT, found = 0;
-	call_barring_entry_t * entry = (call_barring_entry_t*)malloc(sizeof(call_barring_entry_t));
+	call_barring_entry_t * entry;// = (call_barring_entry_t*)malloc(sizeof(call_barring_entry_t));
 
 	log_msg(MSGL_VGSM_INFO,"1. [find_call_barring_entry]--------telclass : %d, type : %d\n", tel_class, type );
 	for(i = 0; i<g_cb_entry[0].count; i++)
@@ -1305,7 +1305,7 @@ call_forwarding_entry_t g_cf_entry_tmp;
 
 call_forwarding_entry_t * find_call_forwarding_entry(int tel_class, int type)
 {
-	int i, class;
+	int i, class = -128;
 	call_forwarding_entry_t * entry ;
 
 	log_msg(MSGL_VGSM_INFO,"tel_class=0x%x  type=%d\n", tel_class,type);
diff --git a/vmodem/server/client.c b/vmodem/server/client.c
index 0ff4a1a..ef7a604 100644
--- a/vmodem/server/client.c
+++ b/vmodem/server/client.c
@@ -672,6 +672,8 @@ static void do_sim(PhoneServer * ps, TClientInfo * ci, LXT_MESSAGE * packet)
 		{
 			type = p[0];
 			password = malloc(length-1);
+			if(!password)
+				return;
 			memcpy(password,&p[1],length-1);
 
 			switch(type)
@@ -893,6 +895,8 @@ static void do_sim(PhoneServer * ps, TClientInfo * ci, LXT_MESSAGE * packet)
 			log_msg(MSGL_VGSM_ERR,"ERROR - Not handled action =[%x] \n", action);
 		break;
 	}
+	if(password)
+		free(password);
 }
 
 
diff --git a/vmodem/server/server_common_network.c b/vmodem/server/server_common_network.c
index bcea4fd..f64faf7 100644
--- a/vmodem/server/server_common_network.c
+++ b/vmodem/server/server_common_network.c
@@ -67,7 +67,7 @@ gsm_network_nitz_info_t   g_network_identity ;
  */
 void init_plmn_list(void)
 {
-	NetworkEntry entry;
+	NetworkEntry entry = {0};
 	/* Update for public open
 	   0x34, 0x35, 0x30, 0x30, 0x31, 0x23 // 45001#
 	   =>
@@ -95,7 +95,7 @@ void init_plmn_list(void)
 	if (g_plmn_list.num_record == 0) {
 		g_plmn_list.num_record = 1;
 		g_plmn_list.precord = malloc(sizeof(gsm_network_plmn_record_t)*g_plmn_list.num_record); // it needs free().
-		memset(g_plmn_list.precord, '\0', sizeof(g_plmn_list.precord));
+		memset(g_plmn_list.precord, '\0', sizeof(gsm_network_plmn_record_t));
 		g_plmn_list.precord[0].status = GSM_NET_PLMN_STATUS_AVAIL; // PLMN_STATUS
 		
 		//memcpy(g_plmn_list.precord[0].plmn, plmn, 6);
@@ -148,7 +148,7 @@ void init_plmn_list(void)
 void set_plmn_list( unsigned char *data, int len )
 {
 	int i = 0, j = 1;
-	NetworkEntry entry;
+	NetworkEntry entry = {0};
 	VGSM_DEBUG("\n");
 
 	if (g_plmn_list.num_record != 0) {
diff --git a/vmodem/server/server_common_security.c b/vmodem/server/server_common_security.c
index 15c22ab..87aa14a 100644
--- a/vmodem/server/server_common_security.c
+++ b/vmodem/server/server_common_security.c
@@ -114,7 +114,9 @@ int server_sim_db_init()
 //080226 -for mem free in mem alloc func. void -> int.
 int server_sec_set_sec_db_info(SimSecurity *sim_sec,int  ncol)
 {
-	SIM_DEBUG("\n");
+	SIM_DEBUG("server_sec_set_sec_db_info\n");
+	if(sim_sec == NULL)
+		return -1;
 //init
 	memset(g_pin_value,0,9);
 	memset(g_puk_value,0,9);
diff --git a/vmodem/server/server_common_ss.c b/vmodem/server/server_common_ss.c
index e4a5224..720d322 100644
--- a/vmodem/server/server_common_ss.c
+++ b/vmodem/server/server_common_ss.c
@@ -55,6 +55,8 @@ static call_waiting_entry_t * setinitDB(call_waiting_entry_t *entry, int class,
 int init_ss_info_re(void)
 {
 	call_waiting_entry_t * entry = malloc(sizeof(call_waiting_entry_t));
+	if(!entry)
+		return -1;
 	memset(entry, 0, sizeof(call_waiting_entry_t));
 
 
@@ -112,6 +114,8 @@ int init_ss_info_re(void)
 	if(cb_pwd_packet.length)
 		FuncServer->Cast(&GlobalPS, LXT_ID_CLIENT_EVENT_INJECTOR, &cb_pwd_packet);	// &ServerHandle->server_cast
 
+	if(entry)
+		free(entry);
 	return 1;
 }
 ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
@@ -119,6 +123,8 @@ int init_ss_info_re(void)
 int init_ss_info(void)
 {
 	call_waiting_entry_t * entry = (call_waiting_entry_t *)malloc(sizeof(call_waiting_entry_t));
+	if(!entry)
+		return -1;
 	memset(entry, 0, sizeof(call_waiting_entry_t));
 
 
@@ -189,6 +195,8 @@ int init_ss_info(void)
 	if(cb_pwd_packet.length)
 		FuncServer->Cast(&GlobalPS, LXT_ID_CLIENT_EVENT_INJECTOR, &cb_pwd_packet);	// &ServerHandle->server_cast
 
+	if(entry)
+		free(entry);
 	return 1;
 }
 
-- 
2.7.4