If for instance "1234" is given as pin, the size of optarg
should be 5 but memcpy would copy 8.
In addition, the current code also makes sure that there is a
terminating null byte ('\0') inside the sim_pin array.
Signed-off-by: Denis 'GNUtoo' Carikli <[email protected]>
---
tools/ipc-modem.c | 23 ++++++++++++-----------
1 file changed, 12 insertions(+), 11 deletions(-)
diff --git a/tools/ipc-modem.c b/tools/ipc-modem.c
index c85c812..2b19f57 100644
--- a/tools/ipc-modem.c
+++ b/tools/ipc-modem.c
@@ -18,6 +18,7 @@
* along with libsamsung-ipc. If not, see <http://www.gnu.org/licenses/>.
*/
+#include <assert.h>
#include <fcntl.h>
#include <getopt.h>
#include <pthread.h>
@@ -511,17 +512,17 @@ int main(int argc, char *argv[])
} else if (strcmp(opt_l[opt_i].name, "debug") == 0) {
debug = 1;
printf("[I] Debug enabled\n");
- } else if (strcmp(opt_l[opt_i].name, "pin") == 0) {
- if (optarg) {
- if (strlen(optarg) < 8) {
- printf("[I] Got SIM PIN!\n");
- memcpy(sim_pin, optarg, 8);
- } else {
- printf("[E] "
- "SIM PIN is too long!"
- "\n");
- return 1;
- }
+ } else if ((strcmp(opt_l[opt_i].name, "pin") == 0) &&
+ (optarg)) {
+ if (strlen(optarg) < 8) {
+ assert(strlen(optarg) <
+ sizeof(sim_pin));
+
+ printf("[I] Got SIM PIN!\n");
+ strcpy(sim_pin, optarg);
+ } else {
+ printf("[E] SIM PIN is too long!\n");
+ return 1;
}
}
break;
--
2.30.1
_______________________________________________
Replicant mailing list
[email protected]
https://lists.osuosl.org/mailman/listinfo/replicant
