Also make sure we don't read beyond end of the string. --- drivers/atmodem/ussd.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/atmodem/ussd.c b/drivers/atmodem/ussd.c index c29f8f6..1d819a3 100644 --- a/drivers/atmodem/ussd.c +++ b/drivers/atmodem/ussd.c @@ -59,7 +59,7 @@ static void at_ussd_request(struct ofono_ussd *ussd, const char *str, { GAtChat *chat = ofono_ussd_get_data(ussd); struct cb_data *cbd = cb_data_new(cb, data); - unsigned char *converted; + unsigned char *converted = NULL; int dcs; int max_len; long written; @@ -83,7 +83,10 @@ static void at_ussd_request(struct ofono_ussd *ussd, const char *str, if (written > max_len) goto error; - sprintf(buf, "AT+CUSD=1,\"%s\",%d", converted, dcs); + sprintf(buf, "AT+CUSD=1,\"%*s\",%d", (int) written, converted, dcs); + + g_free(converted); + converted = NULL; if (g_at_chat_send(chat, buf, none_prefix, cusd_request_cb, cbd, g_free) > 0) @@ -92,6 +95,8 @@ static void at_ussd_request(struct ofono_ussd *ussd, const char *str, error: if (cbd) g_free(cbd); + if (converted) + g_free(converted); CALLBACK_WITH_FAILURE(cb, data); } -- 1.6.1