If for instance "1234" is given as pin, the size of optarg should be 5 but memcpy would copy 8.
In addition, the current code also makes sure that there is a terminating null byte ('\0') inside the sim_pin array. Signed-off-by: Denis 'GNUtoo' Carikli <gnu...@cyberdimension.org> --- tools/ipc-modem.c | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/tools/ipc-modem.c b/tools/ipc-modem.c index c85c812..2b19f57 100644 --- a/tools/ipc-modem.c +++ b/tools/ipc-modem.c @@ -18,6 +18,7 @@ * along with libsamsung-ipc. If not, see <http://www.gnu.org/licenses/>. */ +#include <assert.h> #include <fcntl.h> #include <getopt.h> #include <pthread.h> @@ -511,17 +512,17 @@ int main(int argc, char *argv[]) } else if (strcmp(opt_l[opt_i].name, "debug") == 0) { debug = 1; printf("[I] Debug enabled\n"); - } else if (strcmp(opt_l[opt_i].name, "pin") == 0) { - if (optarg) { - if (strlen(optarg) < 8) { - printf("[I] Got SIM PIN!\n"); - memcpy(sim_pin, optarg, 8); - } else { - printf("[E] " - "SIM PIN is too long!" - "\n"); - return 1; - } + } else if ((strcmp(opt_l[opt_i].name, "pin") == 0) && + (optarg)) { + if (strlen(optarg) < 8) { + assert(strlen(optarg) < + sizeof(sim_pin)); + + printf("[I] Got SIM PIN!\n"); + strcpy(sim_pin, optarg); + } else { + printf("[E] SIM PIN is too long!\n"); + return 1; } } break; -- 2.30.1 _______________________________________________ Replicant mailing list Replicant@osuosl.org https://lists.osuosl.org/mailman/listinfo/replicant