drivers: modem_cmd_handler: uninitialized variable used

[sslupsky]

I found an uninitialized variable being used in cmd_handler_process() in modem_cmd_handler.c. In the following snippet, len is used in the function call but is has not been initialized or otherwise assigned anywhere else in the function:

zephyr/drivers/modem/modem_cmd_handler.c

Lines 338 to 342 in 8af7187

	/* load match_buf with content up to the next CR/LF */
	/* NOTE: keep room in match_buf for ending NUL char */
	match_len = net_buf_linearize(data->match_buf,
	data->match_buf_len - 1,
	data->rx_buf, 0, len);

len is declared at the beginning of the function here:

zephyr/drivers/modem/modem_cmd_handler.c

Line 267 in 8af7187

u16_t offset, len;

Does anyone know what length value should be used here? There is another variable in the function, rx_len, that represents the number of bytes allocated by net_buf_append_bytes().

zephyr/drivers/modem/modem_cmd_handler.c

Lines 296 to 300 in 8af7187

	rx_len = net_buf_append_bytes(data->rx_buf, bytes_read,
	data->read_buf,
	data->alloc_timeout,
	read_rx_allocator,
	data->buf_pool);

It does not appear to me that rx_len is the total length of the received data payload, rather it is the length of the recently allocated data. So, if cmd_handler_process() is called several times over a large receive payload, is it possible the receive data could span more than one net_buf allocation and thus rx_len does not represent the correct length?

Since I am uncertain about how to fix this I did not prepare a PR. If someone with specific knowledge here could advise, I could make the fix and submit a PR.

[sslupsky]

Oops. Len is defined. Closed.