Hi,
The function `modem_info_get_fw_version` uses a fixed size buffer `format`: https://github.com/nrfconnect/sdk-nrf/blob/27eb54ef7183af81f3413c31532f1dd242c36e19/lib/modem_info/modem_info.c#L807
The size is defined by `SWVER_FMT_STR_SIZE` which is hardcoded to 23. The following line:
sprintf(format, "%%%%SHORTSWVER: %%%d[^\r\n]", buf_size);
generates the following string assuming that `buf_size` is 99: "%%SHORTSWVER: %99[^\r\n]" plus a null terminator. This is exactly 23 characters long.
This means that the format string can only fit a `buf_size` which is only 1 or 2 digits long. If you pass in `buf_size` larger than this (say 100) then this causes a buffer overflow.
My suggestion to fix this is to use `MODEM_INFO_FWVER_SIZE` in the sprintf, not `buf_size`.
Thanks,
Jeremy