Fix: potential to crash in atmodem

Some callbacks in call-meter were assuming that a modem follows 27.007
and actually returns a string.  Some modems don't return a string that
is properly formatted (e.g. in quotes).  The strtol was thus accessing
uninitialized memory and crashing ofono.

1 files changed, 20 insertions, 14 deletions

diff --git a/drivers/atmodem/call-meter.c b/drivers/atmodem/call-meter.c
index 422056eb..38774d41 100644
--- a/drivers/atmodem/call-meter.c
+++ b/drivers/atmodem/call-meter.c
@@ -65,19 +65,21 @@ static void caoc_cacm_camm_query_cb(gboolean ok,
 
 	g_at_result_iter_init(&iter, result);
 
-	if (!g_at_result_iter_next(&iter, cbd->user)) {
-		CALLBACK_WITH_FAILURE(cb, -1, cbd->data);
-		return;
-	}
+	if (!g_at_result_iter_next(&iter, cbd->user))
+		goto error;
+
+	if (g_at_result_iter_next_string(&iter, &meter_hex) == FALSE)
+		goto error;
 
-	g_at_result_iter_next_string(&iter, &meter_hex);
 	meter = strtol(meter_hex, &end, 16);
-	if (*end) {
-		CALLBACK_WITH_FAILURE(cb, -1, cbd->data);
-		return;
-	}
+	if (*end)
+		goto error;
 
 	cb(&error, meter, cbd->data);
+	return;
+
+error:
+	CALLBACK_WITH_FAILURE(cb, -1, cbd->data);
 }
 
 static void cccm_notify(GAtResult *result, gpointer user_data)
@@ -93,14 +95,18 @@ static void cccm_notify(GAtResult *result, gpointer user_data)
 	if (!g_at_result_iter_next(&iter, "+CCCM:"))
 		return;
 
-	g_at_result_iter_next_string(&iter, &meter_hex);
+	if (g_at_result_iter_next_string(&iter, &meter_hex) == FALSE)
+		goto error;
+
 	meter = strtol(meter_hex, &end, 16);
-	if (*end) {
-		ofono_error("Invalid CCCM value");
-		return;
-	}
+	if (*end)
+		goto error;
 
 	ofono_call_meter_changed_notify(cm, meter);
+	return;
+
+error:
+	ofono_error("Invalid CCCM value");
 }
 
 static void at_caoc_query(struct ofono_call_meter *cm,