diff options
author | Szymon Janc <szymon.janc@tieto.com> | 2015-02-09 16:54:40 +0100 |
---|---|---|
committer | Szymon Janc <szymon.janc@tieto.com> | 2015-02-09 16:57:02 +0100 |
commit | 64bedd4d316cdd6523589b3a1d4301e33d152b10 (patch) | |
tree | ed8c46dce5422788f7965666fcc55da368e4b0e8 /android/handsfree.c | |
parent | e8ef259138c35552134f4e40b5616caa6d81c21c (diff) | |
download | bluez-64bedd4d316cdd6523589b3a1d4301e33d152b10.tar.gz |
android/handsfree: Fix possible invalid memory write
Copy command to IPC buffer only after checking string size.
Diffstat (limited to 'android/handsfree.c')
-rw-r--r-- | android/handsfree.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/android/handsfree.c b/android/handsfree.c index 4af2a8903..ba798ee18 100644 --- a/android/handsfree.c +++ b/android/handsfree.c @@ -319,13 +319,14 @@ static void at_cmd_unknown(const char *command, void *user_data) /* copy while string including terminating NULL */ ev->len = strlen(command) + 1; - memcpy(ev->buf, command, ev->len); if (ev->len > IPC_MTU - sizeof(*ev)) { hfp_gw_send_result(dev->gw, HFP_RESULT_ERROR); return; } + memcpy(ev->buf, command, ev->len); + ipc_send_notif(hal_ipc, HAL_SERVICE_ID_HANDSFREE, HAL_EV_HANDSFREE_UNKNOWN_AT, sizeof(*ev) + ev->len, ev); } |