diff options
author | Wyatt Riley <wyattriley@google.com> | 2017-05-24 13:24:38 -0700 |
---|---|---|
committer | Wyatt Riley <wyattriley@google.com> | 2017-05-24 13:34:29 -0700 |
commit | 7d256bcb2273429a0251fd14cc89fcd8e1d4241f (patch) | |
tree | b62a92115ca4af4e7abad8ba5e2dafa3debc1c3d | |
parent | 26b4a93a806fd9a184fa49368ef4d4276891cbeb (diff) | |
download | gps-7d256bcb2273429a0251fd14cc89fcd8e1d4241f.tar.gz |
Fix for buffer overrun crash at copying nmea string
Add zero clearing of allocated nmea buffer to ensure
the nmea string is null terminated.
CRs-Fixed: 2041933
Fixes: 37987256
Fixes: 37911727
Test: Builds, GPS works, with NMEA on, inside/outside, w/o crash.
Change-Id: I7b9a52eee8baf2d0a269fc5e2ec95f12d1d7aece
-rw-r--r-- | msm8998/core/SystemStatus.cpp | 2 | ||||
-rw-r--r-- | msm8998/gnss/GnssAdapter.cpp | 4 |
2 files changed, 3 insertions, 3 deletions
diff --git a/msm8998/core/SystemStatus.cpp b/msm8998/core/SystemStatus.cpp index 12f97dd..f4f07f2 100644 --- a/msm8998/core/SystemStatus.cpp +++ b/msm8998/core/SystemStatus.cpp @@ -1396,7 +1396,7 @@ bool SystemStatus::setNmeaString(const char *data, uint32_t len) } char buf[SystemStatusNmeaBase::NMEA_MAXSIZE + 1] = { 0 }; - strlcpy(buf, data, (len < strlen(data))? len : strlen(data)); + strlcpy(buf, data, sizeof(buf)); pthread_mutex_lock(&mMutexSystemStatus); diff --git a/msm8998/gnss/GnssAdapter.cpp b/msm8998/gnss/GnssAdapter.cpp index 4f04ada..472a5d3 100644 --- a/msm8998/gnss/GnssAdapter.cpp +++ b/msm8998/gnss/GnssAdapter.cpp @@ -1977,9 +1977,9 @@ GnssAdapter::reportNmeaEvent(const char* nmea, size_t length, bool fromUlp) size_t length) : LocMsg(), mAdapter(adapter), - mNmea(new char[length]), + mNmea(new char[length+1]), mLength(length) { - memcpy((void*)mNmea, (void*)nmea, length); + strlcpy((char*)mNmea, nmea, length+1); } inline virtual ~MsgReportNmea() { |