Also make sure we don't read beyond end of the string.
---
drivers/atmodem/ussd.c | 9 +++++++--
1 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/atmodem/ussd.c b/drivers/atmodem/ussd.c
index c29f8f6..1d819a3 100644
--- a/drivers/atmodem/ussd.c
+++ b/drivers/atmodem/ussd.c
@@ -59,7 +59,7 @@ static void at_ussd_request(struct ofono_ussd *ussd, const
char *str,
{
GAtChat *chat = ofono_ussd_get_data(ussd);
struct cb_data *cbd = cb_data_new(cb, data);
- unsigned char *converted;
+ unsigned char *converted = NULL;
int dcs;
int max_len;
long written;
@@ -83,7 +83,10 @@ static void at_ussd_request(struct ofono_ussd *ussd, const
char *str,
if (written > max_len)
goto error;
- sprintf(buf, "AT+CUSD=1,\"%s\",%d", converted, dcs);
+ sprintf(buf, "AT+CUSD=1,\"%*s\",%d", (int) written, converted, dcs);
+
+ g_free(converted);
+ converted = NULL;
if (g_at_chat_send(chat, buf, none_prefix,
cusd_request_cb, cbd, g_free) > 0)
@@ -92,6 +95,8 @@ static void at_ussd_request(struct ofono_ussd *ussd, const
char *str,
error:
if (cbd)
g_free(cbd);
+ if (converted)
+ g_free(converted);
CALLBACK_WITH_FAILURE(cb, data);
}
--
1.6.1
_______________________________________________
ofono mailing list
[email protected]
http://lists.ofono.org/listinfo/ofono
