From fceb5a41c25a622755ce6235091354d044de769a Mon Sep 17 00:00:00 2001
From: Denis Kenzior <denkenz@gmail.com>
Date: Tue, 30 Jun 2015 16:58:36 -0500
Subject: handsfree: Fix potential buffer overflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Function: ag_features_list
 static const char *list[10];  (Out of bounds write, line 75)
  Incrementing i the value is now 10, for “hf-indicators”

Reported by: blanca.e.sabas.rosales@intel.com
---
 src/handsfree.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/handsfree.c b/src/handsfree.c
index 30ab7022..a97dee06 100644
--- a/src/handsfree.c
+++ b/src/handsfree.c
@@ -72,7 +72,11 @@ struct ofono_handsfree {
 static const char **ag_features_list(unsigned int features,
 					unsigned int chld_features)
 {
-	static const char *list[10];
+	/*
+	 * BRSF response is a 32-bit unsigned int.  Only 32 entries are posible,
+	 * and we do not ever report the presence of bit 8.
+	 */
+	static const char *list[32];
 	unsigned int i = 0;
 
 	if (features & HFP_AG_FEATURE_3WAY)
-- 
cgit v1.2.3