diff options
author | Pengquan Meng <mpq@google.com> | 2018-03-23 14:29:55 -0700 |
---|---|---|
committer | Tim Schumacher <timschumi@gmx.de> | 2018-06-19 19:33:00 +0200 |
commit | 16368108c689abcca10ae7a7fc1afcc30e583024 (patch) | |
tree | 258e7fc2e635b82d2689903b6a978fb55f17cd29 | |
parent | 2e61ee4703436cd6c20406fe47dc2a3724329f41 (diff) | |
download | android_frameworks_opt_telephony-cm-13.0.tar.gz android_frameworks_opt_telephony-cm-13.0.tar.bz2 android_frameworks_opt_telephony-cm-13.0.zip |
Fixed invalid pdu issueHEADreplicant-6.0-0004-transitionreplicant-6.0-0004-rc6replicant-6.0-0004-rc5-transitionreplicant-6.0-0004-rc5replicant-6.0-0004-rc4replicant-6.0-0004-rc3replicant-6.0-0004-rc2replicant-6.0-0004-rc1replicant-6.0-0004cm-13.0
The device may receive invalid sms pdu, i.e the pdu contins sms header
with an invalid seqNumber. This caused InboundSmsHandler crashed constantly.
This CL added the range check for the seqNumber to ensure the
InboundSmsHandler will not crash even if the seqNumber is invalid.
Test: runtest -x GsmInboundSmsHandlerTest -m
testMultiPartSmsWithInvalidSeqNumber
Bug: 72298611
Merged-In: Icf291c8530abdc2a528c5cf227cf00135281b899
Change-Id: Icf291c8530abdc2a528c5cf227cf00135281b899
(cherry picked from commit 9eec9d02937dd41fc94ad1c874f8467f4698df5c)
(cherry picked from commit d2f410c0ff07c5a7b79e61bc36527b0259677de7)
(cherry picked from commit e8955271c5ca1595ae7c495b6cd7c5f8515d65ea)
CVE-2018-9362
-rw-r--r-- | src/java/com/android/internal/telephony/InboundSmsHandler.java | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/src/java/com/android/internal/telephony/InboundSmsHandler.java b/src/java/com/android/internal/telephony/InboundSmsHandler.java index 6877c2e42..32b9c1162 100644 --- a/src/java/com/android/internal/telephony/InboundSmsHandler.java +++ b/src/java/com/android/internal/telephony/InboundSmsHandler.java @@ -84,6 +84,7 @@ import java.util.ArrayList; import java.util.Collections; import java.util.List; import java.util.Map; +import android.util.EventLog; /** * This class broadcasts incoming SMS messages to interested apps after storing them in @@ -802,6 +803,19 @@ public abstract class InboundSmsHandler extends StateMachine { int destPort = tracker.getDestPort(); String address = ""; + // Do not process when the message count is invalid. + if (messageCount <= 0) { + EventLog.writeEvent( + 0x534e4554 /* snetTagId */, + "72298611" /* buganizer id */, + -1 /* uid */, + String.format( + "processMessagePart: invalid messageCount = %d", + messageCount)); + + return false; + } + if (messageCount == 1) { // single-part message pdus = new byte[][]{tracker.getPdu()}; @@ -835,6 +849,21 @@ public abstract class InboundSmsHandler extends StateMachine { // subtract offset to convert sequence to 0-based array index int index = cursor.getInt(SEQUENCE_COLUMN) - tracker.getIndexOffset(); + // The invalid PDUs can be received and stored in the raw table. The range + // check ensures the process not crash even if the seqNumber in the + // UserDataHeader is invalid. + if (index >= pdus.length || index < 0) { + EventLog.writeEvent( + 0x534e4554 /* snetTagId */, + "72298611" /* buganizer id */, + -1 /* uid */, + String.format( + "processMessagePart: invalid seqNumber = %d, messageCount = %d", + index + tracker.getIndexOffset(), + messageCount)); + continue; + } + pdus[index] = HexDump.hexStringToByteArray(cursor.getString(PDU_COLUMN)); // Read the destination port from the first segment (needed for CDMA WAP PDU). |