Bluetooth: Classic: HFP_AG: Avoid potential array out-of-bounds access issues.

[lylezhu2012]

Describe the bug

At line 283 of the function get_new_call() in the file zephyr/subsys/bluetooth/host/classic/hfp_ag.c, when accessing a fixed-length data, it is not considered whether the array will cross the boundary.

zephyr/subsys/bluetooth/host/classic/hfp_ag.c

Line 283 in 265cfb4

strcpy(call->number, number);

However, this issue is not possible at present because all callers of the get_new_call() function will confirm that the length of number is less than the buffer size before calling the function get_new_call().

zephyr/subsys/bluetooth/host/classic/hfp_ag.c

Lines 2519 to 2526 in 265cfb4

	len = strlen(number);
	if (len == 0) {
	return -ENOTSUP;
	}
	if (len > CONFIG_BT_HFP_AG_PHONE_NUMBER_MAX_LEN) {
	return -ENAMETOOLONG;
	}

zephyr/subsys/bluetooth/host/classic/hfp_ag.c

Lines 3838 to 3841 in 265cfb4

	len = strlen(number);
	if ((len == 0) || (len > CONFIG_BT_HFP_AG_PHONE_NUMBER_MAX_LEN)) {
	return -EINVAL;
	}

To avoid potential array out-of-bounds access issues and easy to maintain, improve it.

[lylezhu2012]

The issue has been fixed by following changes,

zephyr/subsys/bluetooth/host/classic/hfp_ag.c

Lines 282 to 285 in 46f7313

	memset(call->number, 0, sizeof(call->number));
	if (number != NULL) {
	strncpy(call->number, number, sizeof(call->number) - 1);
	}