broadband-modem: minimally verify QCDM MDN before using it

Sometimes it's garbage, and we don't like garbage.

1 files changed, 24 insertions, 3 deletions

diff --git a/src/mm-broadband-modem.c b/src/mm-broadband-modem.c
index b3ec35a3..7b34f78c 100644
--- a/src/mm-broadband-modem.c
+++ b/src/mm-broadband-modem.c
@@ -941,9 +941,30 @@ mdn_qcdm_ready (MMQcdmSerialPort *port,
     }
 
     if (qcdm_result_get_string (result, QCDM_CMD_NV_GET_MDN_ITEM_MDN, &numbers[0]) >= 0) {
-        g_simple_async_result_set_op_res_gpointer (ctx->result,
-                                                   g_strdupv ((gchar **) numbers),
-                                                   NULL);
+        gboolean valid = TRUE;
+        const char *p = numbers[0];
+
+        /* Returned NV item data is read directly out of NV memory on the card,
+         * so minimally verify it.
+         */
+        if (strlen (numbers[0]) < 6 || strlen (numbers[0]) > 15)
+            valid = FALSE;
+
+        /* MDN is always decimal digits; allow + for good measure */
+        while (p && *p && valid)
+            valid = g_ascii_isdigit (*p++) || (*p == '+');
+
+        if (valid) {
+            g_simple_async_result_set_op_res_gpointer (ctx->result,
+                                                       g_strdupv ((gchar **) numbers),
+                                                       NULL);
+        } else {
+            g_simple_async_result_set_error (ctx->result,
+                                             MM_CORE_ERROR,
+                                             MM_CORE_ERROR_FAILED,
+                                             "%s",
+                                             "MDN from NV memory appears invalid");
+        }
     } else {
         g_simple_async_result_set_error (ctx->result,
                                          MM_CORE_ERROR,