From 1fedd096a0ba2ce8625a9e4d1c2ce25bb8f6dfe4 Mon Sep 17 00:00:00 2001
From: Marcel Holtmann <marcel@holtmann.org>
Date: Tue, 22 Jun 2010 17:15:06 +0200
Subject: [PATCH] Check sanity the MNC length value from the SIM card

In case the SIM entry is wrong or we force reading of it, nasty things
like this can happen:

ofonod[12456]: Control:> AT+CRSM=176,28589,0,0,4\r
ofonod[12456]: Control:< +CRSM: 144,0,"00FFFF"\r\n\r\nOK\r\n
*** buffer overflow detected ***: ./src/ofonod terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x3e42efb417]
/lib64/libc.so.6[0x3e42ef9310]
/lib64/libc.so.6(__strncpy_chk+0x17b)[0x3e42ef85cb]
---
 src/sim.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/sim.c b/src/sim.c
index 17e38c5..2514e7b 100644
--- a/src/sim.c
+++ b/src/sim.c
@@ -871,6 +871,10 @@ static void sim_ad_read_cb(int ok, int length, int record,
 
 	new_mnc_length = data[3] & 0xf;
 
+	/* sanity check for potential invalid values */
+	if (new_mnc_length < 2 || new_mnc_length > 3)
+		return;
+
 	if (sim->mnc_length == new_mnc_length)
 		return;
 
-- 
2.7.4