drivers/modem: Increase sprintk buffers to hold parameter types

These drivers use stack buffers to hold AT command strings which are
generated at runtime using sprintk. The buffers are only sized for the
expected range of values, not the full possible range given the datatypes
involved. Values outside this expected range could cause a buffer overflow.

To mitigate this, increase the size of each buffef to hold the full range
of each parameter type.

Signed-off-by: Keith Packard <keithp@keithp.com>

drivers/modem/hl7800.c

@@ -1230,7 +1230,7 @@ int32_t mdm_hl7800_get_functionality(void)
 int32_t mdm_hl7800_set_functionality(enum mdm_hl7800_functionality mode)
 {
 	int ret;
-	char buf[sizeof("AT+CFUN=0,0")] = { 0 };
+	char buf[sizeof("AT+CFUN=###,0")] = { 0 };
 
 	hl7800_lock();
 	wakeup_hl7800();
@@ -3829,7 +3829,7 @@ done:
 
 static int delete_socket(struct hl7800_socket *sock, enum net_sock_type type, uint8_t id)
 {
-	char cmd[sizeof("AT+KUDPCLOSE=##")];
+	char cmd[sizeof("AT+KUDPCLOSE=###")];
 
 	if (type == SOCK_STREAM) {
 		snprintk(cmd, sizeof(cmd), "AT+KTCPDEL=%d", id);
@@ -4105,7 +4105,7 @@ done:
 
 static int start_socket_rx(struct hl7800_socket *sock, uint16_t rx_size)
 {
-	char sendbuf[sizeof("AT+KTCPRCV=##,####")];
+	char sendbuf[sizeof("AT+KTCPRCV=+#########,#####")];
 
 	if ((sock->socket_id <= 0) || (sock->rx_size <= 0)) {
 		LOG_WRN("Cannot start socket RX, ID: %d rx size: %d",

drivers/modem/quectel-bg9x.c

@@ -688,7 +688,9 @@ static int offload_connect(void *obj, const struct sockaddr *addr,
 	uint16_t	    dst_port  = 0;
 	char		    *protocol = "TCP";
 	struct modem_cmd    cmd[]     = { MODEM_CMD("+QIOPEN: ", on_cmd_atcmdinfo_sockopen, 2U, ",") };
-	char		    buf[sizeof("AT+QIOPEN=#,##,###,####.####.####.####,######")] = {0};
+	char		    buf[sizeof("AT+QIOPEN=#,#,'###','###',"
+				       "####.####.####.####.####.####.####.####,######,"
+				       "0,0")] = {0};
 	int		    ret;
 	char		    ip_str[NET_IPV6_ADDR_LEN];
 

drivers/modem/ublox-sara-r4.c

@@ -291,7 +291,9 @@ static ssize_t send_socket_data(void *obj,
 				k_timeout_t timeout)
 {
 	int ret;
-	char send_buf[sizeof("AT+USO**=#,!###.###.###.###!,#####,####\r\n")];
+	char send_buf[sizeof("AT+USO**=###,"
+			     "!####.####.####.####.####.####.####.####!,"
+			     "#####,#########\r\n")];
 	uint16_t dst_port = 0U;
 	struct modem_socket *sock = (struct modem_socket *)obj;
 	const struct modem_cmd handler_cmds[] = {
@@ -1530,7 +1532,7 @@ static int offload_connect(void *obj, const struct sockaddr *addr,
 {
 	struct modem_socket *sock = (struct modem_socket *)obj;
 	int ret;
-	char buf[sizeof("AT+USOCO=#,!###.###.###.###!,#####,#\r")];
+	char buf[sizeof("AT+USOCO=###,!####.####.####.####.####.####.####.####!,#####,#\r")];
 	uint16_t dst_port = 0U;
 	char ip_str[NET_IPV6_ADDR_LEN];
 

drivers/modem/wncm14a2a.c

@@ -912,7 +912,7 @@ static void on_cmd_sockdataind(struct net_buf **buf, uint16_t len)
 	size_t out_len;
 	char *delim1, *delim2;
 	char value[sizeof("#,#,#####\r")];
-	char sendbuf[sizeof("AT@SOCKREAD=#,#####\r")];
+	char sendbuf[sizeof("AT@SOCKREAD=-#####,-#####\r")];
 	struct wncm14a2a_socket *sock = NULL;
 
 	out_len = net_buf_linearize(value, sizeof(value) - 1, *buf, 0, len);
@@ -1519,7 +1519,7 @@ static int offload_get(sa_family_t family,
 		       struct net_context **context)
 {
 	int ret;
-	char buf[sizeof("AT@SOCKCREAT=#,#\r")];
+	char buf[sizeof("AT@SOCKCREAT=###,#\r")];
 	struct wncm14a2a_socket *sock = NULL;
 
 	/* new socket */