[Replicant] [libsamsung-ipc] [PATCH 2/4] tools: ipc-modem: fix potential out of bounds sim_pin memcpy

Denis 'GNUtoo' Carikli GNUtoo at cyberdimension.org
Wed Mar 17 17:37:39 UTC 2021


If for instance "1234" is given as pin, the size of optarg
should be 5 but memcpy would copy 8.

In addition, the current code also makes sure that there is a
terminating null byte ('\0') inside the sim_pin array.

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo at cyberdimension.org>
---
 tools/ipc-modem.c | 23 ++++++++++++-----------
 1 file changed, 12 insertions(+), 11 deletions(-)

diff --git a/tools/ipc-modem.c b/tools/ipc-modem.c
index c85c812..2b19f57 100644
--- a/tools/ipc-modem.c
+++ b/tools/ipc-modem.c
@@ -18,6 +18,7 @@
  * along with libsamsung-ipc.  If not, see <http://www.gnu.org/licenses/>.
  */
 
+#include <assert.h>
 #include <fcntl.h>
 #include <getopt.h>
 #include <pthread.h>
@@ -511,17 +512,17 @@ int main(int argc, char *argv[])
 			} else if (strcmp(opt_l[opt_i].name, "debug") == 0) {
 				debug = 1;
 				printf("[I] Debug enabled\n");
-			} else if (strcmp(opt_l[opt_i].name, "pin") == 0) {
-				if (optarg) {
-					if (strlen(optarg) < 8) {
-						printf("[I] Got SIM PIN!\n");
-						memcpy(sim_pin, optarg, 8);
-					} else {
-						printf("[E] "
-						       "SIM PIN is too long!"
-						       "\n");
-						return 1;
-					}
+			} else if ((strcmp(opt_l[opt_i].name, "pin") == 0) &&
+				   (optarg)) {
+				if (strlen(optarg) < 8) {
+					assert(strlen(optarg) <
+					       sizeof(sim_pin));
+
+					printf("[I] Got SIM PIN!\n");
+					strcpy(sim_pin, optarg);
+				} else {
+					printf("[E] SIM PIN is too long!\n");
+					return 1;
 				}
 			}
 			break;
-- 
2.30.1



More information about the Replicant mailing list