From e0663bd0eda7ed7a8141bcf3aa9c41053572ca7c Mon Sep 17 00:00:00 2001 From: Andrzej Zaborowski Date: Mon, 25 Oct 2010 07:51:25 +0200 Subject: voicecall: Limit tone string length per request. Also change to avoid memcpying into a buffer. --- src/voicecall.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) (limited to 'src') diff --git a/src/voicecall.c b/src/voicecall.c index 26cfb9a8..bd644326 100644 --- a/src/voicecall.c +++ b/src/voicecall.c @@ -2472,7 +2472,7 @@ static gboolean tone_request_run(gpointer user_data) { struct ofono_voicecall *vc = user_data; struct tone_queue_entry *entry = g_queue_peek_head(vc->toneq); - char buf[256]; + char final; unsigned len; vc->tone_source = 0; @@ -2483,14 +2483,17 @@ static gboolean tone_request_run(gpointer user_data) len = strcspn(entry->left, "pP"); if (len) { - if (len >= sizeof(buf)) - len = sizeof(buf) - 1; + if (len > 8) /* Arbitrary length limit per request */ + len = 8; - memcpy(buf, entry->left, len); - buf[len] = '\0'; - entry->left += len; + /* Temporarily move the end of the string */ + final = entry->left[len]; + entry->left[len] = '\0'; + + vc->driver->send_tones(vc, entry->left, tone_request_cb, vc); - vc->driver->send_tones(vc, buf, tone_request_cb, vc); + entry->left += len; + entry->left[0] = final; } else tone_request_cb(NULL, vc); -- cgit v1.2.3