aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPengquan Meng <mpq@google.com>2018-03-23 14:29:55 -0700
committerTim Schumacher <timschumi@gmx.de>2018-06-19 19:33:00 +0200
commit16368108c689abcca10ae7a7fc1afcc30e583024 (patch)
tree258e7fc2e635b82d2689903b6a978fb55f17cd29
parent2e61ee4703436cd6c20406fe47dc2a3724329f41 (diff)
downloadandroid_frameworks_opt_telephony-cm-13.0.tar.gz
android_frameworks_opt_telephony-cm-13.0.tar.bz2
android_frameworks_opt_telephony-cm-13.0.zip
Fixed invalid pdu issueHEADreplicant-6.0-0004-transitionreplicant-6.0-0004-rc6replicant-6.0-0004-rc5-transitionreplicant-6.0-0004-rc5replicant-6.0-0004-rc4replicant-6.0-0004-rc3replicant-6.0-0004-rc2replicant-6.0-0004-rc1replicant-6.0-0004cm-13.0
The device may receive invalid sms pdu, i.e the pdu contins sms header with an invalid seqNumber. This caused InboundSmsHandler crashed constantly. This CL added the range check for the seqNumber to ensure the InboundSmsHandler will not crash even if the seqNumber is invalid. Test: runtest -x GsmInboundSmsHandlerTest -m testMultiPartSmsWithInvalidSeqNumber Bug: 72298611 Merged-In: Icf291c8530abdc2a528c5cf227cf00135281b899 Change-Id: Icf291c8530abdc2a528c5cf227cf00135281b899 (cherry picked from commit 9eec9d02937dd41fc94ad1c874f8467f4698df5c) (cherry picked from commit d2f410c0ff07c5a7b79e61bc36527b0259677de7) (cherry picked from commit e8955271c5ca1595ae7c495b6cd7c5f8515d65ea) CVE-2018-9362
Diffstat
-rw-r--r--src/java/com/android/internal/telephony/InboundSmsHandler.java29
1 files changed, 29 insertions, 0 deletions
diff --git a/src/java/com/android/internal/telephony/InboundSmsHandler.java b/src/java/com/android/internal/telephony/InboundSmsHandler.java
index 6877c2e42..32b9c1162 100644
--- a/src/java/com/android/internal/telephony/InboundSmsHandler.java
+++ b/src/java/com/android/internal/telephony/InboundSmsHandler.java
@@ -84,6 +84,7 @@ import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.Map;
+import android.util.EventLog;
/**
* This class broadcasts incoming SMS messages to interested apps after storing them in
@@ -802,6 +803,19 @@ public abstract class InboundSmsHandler extends StateMachine {
int destPort = tracker.getDestPort();
String address = "";
+ // Do not process when the message count is invalid.
+ if (messageCount <= 0) {
+ EventLog.writeEvent(
+ 0x534e4554 /* snetTagId */,
+ "72298611" /* buganizer id */,
+ -1 /* uid */,
+ String.format(
+ "processMessagePart: invalid messageCount = %d",
+ messageCount));
+
+ return false;
+ }
+
if (messageCount == 1) {
// single-part message
pdus = new byte[][]{tracker.getPdu()};
@@ -835,6 +849,21 @@ public abstract class InboundSmsHandler extends StateMachine {
// subtract offset to convert sequence to 0-based array index
int index = cursor.getInt(SEQUENCE_COLUMN) - tracker.getIndexOffset();
+ // The invalid PDUs can be received and stored in the raw table. The range
+ // check ensures the process not crash even if the seqNumber in the
+ // UserDataHeader is invalid.
+ if (index >= pdus.length || index < 0) {
+ EventLog.writeEvent(
+ 0x534e4554 /* snetTagId */,
+ "72298611" /* buganizer id */,
+ -1 /* uid */,
+ String.format(
+ "processMessagePart: invalid seqNumber = %d, messageCount = %d",
+ index + tracker.getIndexOffset(),
+ messageCount));
+ continue;
+ }
+
pdus[index] = HexDump.hexStringToByteArray(cursor.getString(PDU_COLUMN));
// Read the destination port from the first segment (needed for CDMA WAP PDU).
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-25 06:29:52 +0000