From 18bfefba2dba3f5c77cd971820646d84a85f9334 Mon Sep 17 00:00:00 2001
From: Dan Williams <dcbw@redhat.com>
Date: Wed, 24 Apr 2013 15:04:57 -0500
Subject: iface-modem: fix array insertion when setting bands

You can't g_array_insert_val() to an index that's beyond the end
of the array, which was happening if the user tried to set the
band list to "any":

mmcli -m 0 --set-bands=any

Just use g_array_append_val() instead.

==5618== Invalid read of size 2
==5618==    at 0x4A0A158: memcpy@GLIBC_2.2.5 (mc_replace_strmem.c:881)
==5618==    by 0x326201D8FB: g_array_insert_vals (string3.h:57)
==5618==    by 0x442EFB: mm_iface_modem_set_bands (mm-iface-modem.c:1982)
==5618==    by 0x44307E: handle_set_bands_auth_ready (mm-iface-modem.c:2100)
==5618==    by 0x326386DFF6: g_simple_async_result_complete (gsimpleasyncresult.c:775)
==5618==    by 0x4358E3: authorize_ready (mm-base-modem.c:1300)
==5618==    by 0x326386DFF6: g_simple_async_result_complete (gsimpleasyncresult.c:775)
==5618==    by 0x326386E0F8: complete_in_idle_cb (gsimpleasyncresult.c:787)
==5618==    by 0x3262047A54: g_main_context_dispatch (gmain.c:2715)
==5618==    by 0x3262047D87: g_main_context_iterate.isra.24 (gmain.c:3290)
==5618==    by 0x3262048181: g_main_loop_run (gmain.c:3484)
==5618==    by 0x426235: main (main.c:142)
==5618==  Address 0x10a7ea74e is not stack'd, malloc'd or (recently) free'd
==5618==
==5618==
==5618== Process terminating with default action of signal 11 (SIGSEGV)
==5618==  Access not within mapped region at address 0x10A7EA74E
==5618==    at 0x4A0A158: memcpy@GLIBC_2.2.5 (mc_replace_strmem.c:881)
==5618==    by 0x326201D8FB: g_array_insert_vals (string3.h:57)
==5618==    by 0x442EFB: mm_iface_modem_set_bands (mm-iface-modem.c:1982)
==5618==    by 0x44307E: handle_set_bands_auth_ready (mm-iface-modem.c:2100)
==5618==    by 0x326386DFF6: g_simple_async_result_complete (gsimpleasyncresult.c:775)
==5618==    by 0x4358E3: authorize_ready (mm-base-modem.c:1300)
==5618==    by 0x326386DFF6: g_simple_async_result_complete (gsimpleasyncresult.c:775)
==5618==    by 0x326386E0F8: complete_in_idle_cb (gsimpleasyncresult.c:787)
==5618==    by 0x3262047A54: g_main_context_dispatch (gmain.c:2715)
==5618==    by 0x3262047D87: g_main_context_iterate.isra.24 (gmain.c:3290)
==5618==    by 0x3262048181: g_main_loop_run (gmain.c:3484)
==5618==    by 0x426235: main (main.c:142)
---
 src/mm-iface-modem.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/mm-iface-modem.c b/src/mm-iface-modem.c
index 703de027..8eadc73b 100644
--- a/src/mm-iface-modem.c
+++ b/src/mm-iface-modem.c
@@ -1976,8 +1976,7 @@ mm_iface_modem_set_bands (MMIfaceModem *self,
                                                           FALSE,
                                                           sizeof (MMModemBand),
                                                           supported_bands_array->len);
-
-                g_array_insert_val (ctx->bands_array, i, band);
+                g_array_append_val (ctx->bands_array, band);
             }
         }
     }
-- 
cgit v1.2.3-70-g09d2