Transceiver.cpp: prevent out-of-range array access

There was no a simple range check for both (NO)HANDOVER commands,
so an out-of-range access was possible. For example, a command:

  CMD HANDOVER 0 -3

might enable EDGE at run-time, because:

  a[i] == *(a + i)

Let's fix this.

Change-Id: I24a5f70e8e8097f218d7cbdef8cb10df2c35416f

1 files changed, 16 insertions, 8 deletions

diff --git a/Transceiver52M/Transceiver.cpp b/Transceiver52M/Transceiver.cpp
index 859a1de..2d3771c 100644
--- a/Transceiver52M/Transceiver.cpp
+++ b/Transceiver52M/Transceiver.cpp
@@ -727,15 +727,23 @@ void Transceiver::driveControl(size_t chan)
       }
     }
   } else if (match_cmd(command, "HANDOVER", &params)) {
-    int ts=0,ss=0;
-    sscanf(params, "%d %d", &ts, &ss);
-    mHandover[ts][ss] = true;
-    sprintf(response,"RSP HANDOVER 0 %d %d",ts,ss);
+    unsigned ts = 0, ss = 0;
+    sscanf(params, "%u %u", &ts, &ss);
+    if (ts > 7 || ss > 7) {
+      sprintf(response, "RSP NOHANDOVER 1 %u %u", ts, ss);
+    } else {
+      mHandover[ts][ss] = true;
+      sprintf(response, "RSP HANDOVER 0 %u %u", ts, ss);
+    }
   } else if (match_cmd(command, "NOHANDOVER", &params)) {
-    int ts=0,ss=0;
-    sscanf(params, "%d %d", &ts, &ss);
-    mHandover[ts][ss] = false;
-    sprintf(response,"RSP NOHANDOVER 0 %d %d",ts,ss);
+    unsigned ts = 0, ss = 0;
+    sscanf(params, "%u %u", &ts, &ss);
+    if (ts > 7 || ss > 7) {
+      sprintf(response, "RSP NOHANDOVER 1 %u %u", ts, ss);
+    } else {
+      mHandover[ts][ss] = false;
+      sprintf(response, "RSP NOHANDOVER 0 %u %u", ts, ss);
+    }
   } else if (match_cmd(command, "SETMAXDLY", &params)) {
     //set expected maximum time-of-arrival
     int maxDelay;