From c0c6d70fe9d4122e6142b0a9785a44a7f3d0cf0d Mon Sep 17 00:00:00 2001
From: Vadim Yanitskiy <axilirator@gmail.com>
Date: Fri, 9 Mar 2018 05:08:23 +0700
Subject: Transceiver.cpp: prevent out-of-range array access

There was no a simple range check for both (NO)HANDOVER commands,
so an out-of-range access was possible. For example, a command:

  CMD HANDOVER 0 -3

might enable EDGE at run-time, because:

  a[i] == *(a + i)

Let's fix this.

Change-Id: I24a5f70e8e8097f218d7cbdef8cb10df2c35416f
---
 Transceiver52M/Transceiver.cpp | 24 ++++++++++++++++--------
 1 file changed, 16 insertions(+), 8 deletions(-)

(limited to 'Transceiver52M/Transceiver.cpp')

diff --git a/Transceiver52M/Transceiver.cpp b/Transceiver52M/Transceiver.cpp
index 859a1de..2d3771c 100644
--- a/Transceiver52M/Transceiver.cpp
+++ b/Transceiver52M/Transceiver.cpp
@@ -727,15 +727,23 @@ void Transceiver::driveControl(size_t chan)
       }
     }
   } else if (match_cmd(command, "HANDOVER", &params)) {
-    int ts=0,ss=0;
-    sscanf(params, "%d %d", &ts, &ss);
-    mHandover[ts][ss] = true;
-    sprintf(response,"RSP HANDOVER 0 %d %d",ts,ss);
+    unsigned ts = 0, ss = 0;
+    sscanf(params, "%u %u", &ts, &ss);
+    if (ts > 7 || ss > 7) {
+      sprintf(response, "RSP NOHANDOVER 1 %u %u", ts, ss);
+    } else {
+      mHandover[ts][ss] = true;
+      sprintf(response, "RSP HANDOVER 0 %u %u", ts, ss);
+    }
   } else if (match_cmd(command, "NOHANDOVER", &params)) {
-    int ts=0,ss=0;
-    sscanf(params, "%d %d", &ts, &ss);
-    mHandover[ts][ss] = false;
-    sprintf(response,"RSP NOHANDOVER 0 %d %d",ts,ss);
+    unsigned ts = 0, ss = 0;
+    sscanf(params, "%u %u", &ts, &ss);
+    if (ts > 7 || ss > 7) {
+      sprintf(response, "RSP NOHANDOVER 1 %u %u", ts, ss);
+    } else {
+      mHandover[ts][ss] = false;
+      sprintf(response, "RSP NOHANDOVER 0 %u %u", ts, ss);
+    }
   } else if (match_cmd(command, "SETMAXDLY", &params)) {
     //set expected maximum time-of-arrival
     int maxDelay;
-- 
cgit v1.2.3