Invalid stack read from when printing QMI message traces
The "LTE System Info v2" TLV in "NAS Get System Info" contains two 3-byte fixed length fields for MCC and MNC, encoded in ASCII. The MNC may really be 2 or 3 digits, so for the case of 2-digit MNC, the third byte in the fixed length array is 0xFF.
The printable TLV contents in this case are not working correctly, as in this case, the fixed size string reader method will do UTF-8 validation while reading, so it will read the two first digits of the MNC and will not read the last one.
The code doing this reading looks like this:
{
gchar tmp[4];
if (!qmi_message_tlv_read_fixed_size_string (message, init_offset, &offset, 3, &tmp[0], &error))
goto out;
tmp[3] = '\0';
{
g_string_append (printable, tmp);
}
} The tmp array is not initialized, so if qmi_message_tlv_read_fixed_size_string() reads only 2 bytes, the logic will end up with a C string that contains one uninitialized byte. The tmp array is NUL-byte-terminated, so the C string is correctly terminated, but its contents are not fully right.
The result is that the MNC we print is not the correct one, in this case for example it looks like the tmp array bytes used to read the MNC are reused from the tmp array bytes that were used to read the MCC, so we get an invalid trailing '1' appended to the MNC: mcc = '901' mnc = '701'.
Full logs as follows:
<<<<<< TLV:
<<<<<< type = "LTE System Info v2" (0x19)
<<<<<< length = 29
<<<<<< value = 01:02:01:02:01:00:01:00:00:FF:FF:01:01:9B:01:00:00:00:00:01:39:30:31:37:30:FF:01:07:00
<<<<<< translated = [ domain_valid = 'yes' domain = 'ps' service_capability_valid = 'yes' service_capability = 'ps' roaming_status_valid = 'yes' roaming_status = 'off' forbidden_valid = 'yes' forbidden = 'no' lac_valid = 'no' lac = '65535' cid_valid = 'yes' cid = '105217' registration_reject_info_valid = 'no' registration_reject_domain = 'none' registration_reject_cause = 'none' network_id_valid = 'yes' mcc = '901' mnc = '701' tac_valid = 'yes' tac = '7' ]