#include <string.h>
#include "bt_common.h"
#include "bta_ag_at.h"
+#include "log/log.h"
#include "utl.h"
/*****************************************************************************
** Returns void
**
******************************************************************************/
-void bta_ag_process_at(tBTA_AG_AT_CB *p_cb)
+void bta_ag_process_at(tBTA_AG_AT_CB *p_cb, char *p_end)
{
UINT16 idx;
UINT8 arg_type;
{
/* start of argument is p + strlen matching command */
p_arg = p_cb->p_cmd_buf + strlen(p_cb->p_at_tbl[idx].p_cmd);
+ if (p_arg > p_end) {
+ (*p_cb->p_err_cback)(p_cb->p_user, FALSE, NULL);
+ android_errorWriteLog(0x534e4554, "112860487");
+ return;
+ }
/* if no argument */
if (p_arg[0] == 0)
(*p_cb->p_cmd_cback)(p_cb->p_user,
p_cb->p_at_tbl[idx].command_id,
- arg_type, p_arg, int_arg);
+ arg_type, p_arg, p_end, int_arg);
}
}
else
{
(*p_cb->p_cmd_cback)(p_cb->p_user,
p_cb->p_at_tbl[idx].command_id,
- arg_type, p_arg, int_arg);
+ arg_type, p_arg, p_end, int_arg);
}
}
/* else error */
(p_cb->p_cmd_buf[1] == 'T' || p_cb->p_cmd_buf[1] == 't'))
{
p_save = p_cb->p_cmd_buf;
+ char *p_end = p_cb->p_cmd_buf + p_cb->cmd_pos;
p_cb->p_cmd_buf += 2;
- bta_ag_process_at(p_cb);
+ bta_ag_process_at(p_cb, p_end);
p_cb->p_cmd_buf = p_save;
}
#include "bta_ag_int.h"
#include "bta_api.h"
#include "bta_sys.h"
+#include "log/log.h"
#include "bt_common.h"
#include "osi/include/log.h"
#include "port_api.h"
** Returns TRUE if parsed ok, FALSE otherwise.
**
*******************************************************************************/
-static BOOLEAN bta_ag_parse_cmer(char *p_s, BOOLEAN *p_enabled)
+static BOOLEAN bta_ag_parse_cmer(char *p_s, char *p_end, BOOLEAN *p_enabled)
{
INT16 n[4] = {-1, -1, -1, -1};
int i;
char *p;
- for (i = 0; i < 4; i++)
+ for (i = 0; i < 4; i++, p_s = p + 1)
{
/* skip to comma delimiter */
- for (p = p_s; *p != ',' && *p != 0; p++);
+ for (p = p_s; p < p_end && *p != ',' && *p != 0; p++);
/* get integer value */
+ if (p > p_end) {
+ android_errorWriteLog(0x534e4554, "112860487");
+ return FALSE;
+ }
*p = 0;
n[i] = utl_str2int(p_s);
p_s = p + 1;
- if (p_s == 0)
- {
- break;
- }
}
/* process values */
** Returns Returns bitmap of supported codecs.
**
*******************************************************************************/
-static tBTA_AG_PEER_CODEC bta_ag_parse_bac(tBTA_AG_SCB *p_scb, char *p_s)
+static tBTA_AG_PEER_CODEC bta_ag_parse_bac(tBTA_AG_SCB *p_scb, char *p_s,
+ char *p_end)
{
tBTA_AG_PEER_CODEC retval = BTA_AG_CODEC_NONE;
UINT16 uuid_codec;
while(p_s)
{
/* skip to comma delimiter */
- for(p = p_s; *p != ',' && *p != 0; p++);
+ for(p = p_s; p < p_end && *p != ',' && *p != 0; p++);
/* get integre value */
+ if (p > p_end) {
+ android_errorWriteLog(0x534e4554, "112860487");
+ break;
+ }
if (*p != 0)
{
*p = 0;
**
*******************************************************************************/
void bta_ag_at_hsp_cback(tBTA_AG_SCB *p_scb, UINT16 command_id, UINT8 arg_type,
- char *p_arg, INT16 int_arg)
+ char *p_arg, char *p_end, INT16 int_arg)
{
APPL_TRACE_DEBUG("AT cmd:%d arg_type:%d arg:%d arg:%s", command_id, arg_type,
int_arg, p_arg);
val.hdr.handle = bta_ag_scb_to_idx(p_scb);
val.hdr.app_id = p_scb->app_id;
val.num = (UINT16) int_arg;
- strlcpy(val.str, p_arg, BTA_AG_AT_MAX_LEN);
+
+ if ((p_end - p_arg + 1) >= (long)sizeof(val.str)) {
+ APPL_TRACE_ERROR("%s: p_arg is too long, send error and return", __func__);
+ bta_ag_send_error(p_scb, BTA_AG_ERR_TEXT_TOO_LONG);
+ android_errorWriteLog(0x534e4554, "112860487");
+ return;
+ }
+ strlcpy(val.str, p_arg, sizeof(val.str));
/* call callback with event */
(*bta_ag_cb.p_cback)(command_id, (tBTA_AG *) &val);
**
*******************************************************************************/
void bta_ag_at_hfp_cback(tBTA_AG_SCB *p_scb, UINT16 cmd, UINT8 arg_type,
- char *p_arg, INT16 int_arg)
+ char *p_arg, char *p_end, INT16 int_arg)
{
tBTA_AG_VAL val;
tBTA_AG_SCB *ag_scb;
val.hdr.status = BTA_AG_SUCCESS;
val.num = int_arg;
bdcpy(val.bd_addr, p_scb->peer_addr);
- strlcpy(val.str, p_arg, BTA_AG_AT_MAX_LEN);
+
+ if ((p_end - p_arg + 1) >= (long)sizeof(val.str)) {
+ APPL_TRACE_ERROR("%s: p_arg is too long, send error and return", __func__);
+ bta_ag_send_error(p_scb, BTA_AG_ERR_TEXT_TOO_LONG);
+ android_errorWriteLog(0x534e4554, "112860487");
+ return;
+ }
+ strlcpy(val.str, p_arg, sizeof(val.str));
/**
* Unless this this is a local event, by default we'll forward
case BTA_AG_LOCAL_EVT_CMER:
/* if parsed ok store setting, send OK */
- if (bta_ag_parse_cmer(p_arg, &p_scb->cmer_enabled))
+ if (bta_ag_parse_cmer(p_arg, p_end, &p_scb->cmer_enabled))
{
bta_ag_send_ok(p_scb);
/* store available codecs from the peer */
if((p_scb->peer_features & BTA_AG_PEER_FEAT_CODEC) && (p_scb->features & BTA_AG_FEAT_CODEC))
{
- p_scb->peer_codecs = bta_ag_parse_bac(p_scb, p_arg);
+ p_scb->peer_codecs = bta_ag_parse_bac(p_scb, p_arg, p_end);
p_scb->codec_updated = TRUE;
if (p_scb->peer_codecs & BTA_AG_CODEC_MSBC)
/* AT command functions */
extern void bta_ag_at_hsp_cback(tBTA_AG_SCB *p_scb, UINT16 cmd, UINT8 arg_type,
- char *p_arg, INT16 int_arg);
+ char *p_arg, char *p_end, INT16 int_arg);
extern void bta_ag_at_hfp_cback(tBTA_AG_SCB *p_scb, UINT16 cmd, UINT8 arg_type,
- char *p_arg, INT16 int_arg);
+ char *p_arg, char *p_end, INT16 int_arg);
extern void bta_ag_at_err_cback(tBTA_AG_SCB *p_scb, BOOLEAN unknown, char *p_arg);
extern BOOLEAN bta_ag_inband_enabled(tBTA_AG_SCB *p_scb);
extern void bta_ag_send_call_inds(tBTA_AG_SCB *p_scb, tBTA_AG_RES result);