summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSarah Chin <sarahchin@google.com>2020-02-21 02:55:09 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>2020-02-21 02:55:09 +0000
commit8c238b7dca4d65b1767d7ab172831559c7684523 (patch)
tree82cf1774d1f41400de37f8b7294c363588e996f3
parent02ed800d62556cbf95666373d288efdd9ef090e7 (diff)
parent535660a21fb6d0c9f36f055699619230bf683530 (diff)
downloadplatform_hardware_ril-8c238b7dca4d65b1767d7ab172831559c7684523.tar.gz
platform_hardware_ril-8c238b7dca4d65b1767d7ab172831559c7684523.tar.bz2
platform_hardware_ril-8c238b7dca4d65b1767d7ab172831559c7684523.zip
Merge "Fix OOB vulnerability in setGsm/CdmaSmsBroadcastConfigInfo"
-rw-r--r--include/telephony/ril.h1
-rwxr-xr-xlibril/ril_service.cpp12
2 files changed, 13 insertions, 0 deletions
diff --git a/include/telephony/ril.h b/include/telephony/ril.h
index e1897772..75301466 100644
--- a/include/telephony/ril.h
+++ b/include/telephony/ril.h
@@ -107,6 +107,7 @@ extern "C" {
#define MAX_BANDS 8
#define MAX_CHANNELS 32
#define MAX_RADIO_ACCESS_NETWORKS 8
+#define MAX_BROADCAST_SMS_CONFIG_INFO 25
typedef void * RIL_Token;
diff --git a/libril/ril_service.cpp b/libril/ril_service.cpp
index c6556722..c97b607a 100755
--- a/libril/ril_service.cpp
+++ b/libril/ril_service.cpp
@@ -1799,6 +1799,12 @@ Return<void> RadioImpl::setGsmBroadcastConfig(int32_t serial,
}
int num = configInfo.size();
+ if (num > MAX_BROADCAST_SMS_CONFIG_INFO) {
+ RLOGE("setGsmBroadcastConfig: Invalid configInfo length %s",
+ requestToString(pRI->pCI->requestNumber));
+ sendErrorResponse(pRI, RIL_E_INVALID_ARGUMENTS);
+ return Void();
+ }
RIL_GSM_BroadcastSmsConfigInfo gsmBci[num];
RIL_GSM_BroadcastSmsConfigInfo *gsmBciPtrs[num];
@@ -1846,6 +1852,12 @@ Return<void> RadioImpl::setCdmaBroadcastConfig(int32_t serial,
}
int num = configInfo.size();
+ if (num > MAX_BROADCAST_SMS_CONFIG_INFO) {
+ RLOGE("setCdmaBroadcastConfig: Invalid configInfo length %s",
+ requestToString(pRI->pCI->requestNumber));
+ sendErrorResponse(pRI, RIL_E_INVALID_ARGUMENTS);
+ return Void();
+ }
RIL_CDMA_BroadcastSmsConfigInfo cdmaBci[num];
RIL_CDMA_BroadcastSmsConfigInfo *cdmaBciPtrs[num];