android/handsfree: Fix possible invalid memory write

Copy command to IPC buffer only after checking string size.
author: Szymon Janc <szymon.janc@tieto.com> 2015-02-09 16:54:40 +0100
committer: Szymon Janc <szymon.janc@tieto.com> 2015-02-09 16:57:02 +0100
commit: 64bedd4d316cdd6523589b3a1d4301e33d152b10 (patch)
tree: ed8c46dce5422788f7965666fcc55da368e4b0e8 /android/handsfree.c
parent: e8ef259138c35552134f4e40b5616caa6d81c21c (diff)
download: bluez-64bedd4d316cdd6523589b3a1d4301e33d152b10.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/android/handsfree.c b/android/handsfree.c
index 4af2a8903..ba798ee18 100644
--- a/android/handsfree.c
+++ b/android/handsfree.c
@@ -319,13 +319,14 @@ static void at_cmd_unknown(const char *command, void *user_data)
 
 	/* copy while string including terminating NULL */
 	ev->len = strlen(command) + 1;
-	memcpy(ev->buf, command, ev->len);
 
 	if (ev->len > IPC_MTU - sizeof(*ev)) {
 		hfp_gw_send_result(dev->gw, HFP_RESULT_ERROR);
 		return;
 	}
 
+	memcpy(ev->buf, command, ev->len);
+
 	ipc_send_notif(hal_ipc, HAL_SERVICE_ID_HANDSFREE,
 			HAL_EV_HANDSFREE_UNKNOWN_AT, sizeof(*ev) + ev->len, ev);
 }
author	Szymon Janc <szymon.janc@tieto.com>	2015-02-09 16:54:40 +0100
committer	Szymon Janc <szymon.janc@tieto.com>	2015-02-09 16:57:02 +0100
commit	64bedd4d316cdd6523589b3a1d4301e33d152b10 (patch)
tree	ed8c46dce5422788f7965666fcc55da368e4b0e8 /android/handsfree.c
parent	e8ef259138c35552134f4e40b5616caa6d81c21c (diff)
download	bluez-64bedd4d316cdd6523589b3a1d4301e33d152b10.tar.gz