diff options
author | Sarah Chin <sarahchin@google.com> | 2020-02-03 12:38:02 -0800 |
---|---|---|
committer | Sarah Chin <sarahchin@google.com> | 2020-02-20 17:12:34 -0800 |
commit | 535660a21fb6d0c9f36f055699619230bf683530 (patch) | |
tree | 82cf1774d1f41400de37f8b7294c363588e996f3 | |
parent | 02ed800d62556cbf95666373d288efdd9ef090e7 (diff) | |
download | platform_hardware_ril-535660a21fb6d0c9f36f055699619230bf683530.tar.gz platform_hardware_ril-535660a21fb6d0c9f36f055699619230bf683530.tar.bz2 platform_hardware_ril-535660a21fb6d0c9f36f055699619230bf683530.zip |
Fix OOB vulnerability in setGsm/CdmaSmsBroadcastConfigInfo
Error if length > 25
Test: lunch cf_x86_phone-userdebug && mm
Bug: 144046782
Change-Id: I18f9745174762a52fc20bfc7273c6b3fd2118da5
Merged-In: I18f9745174762a52fc20bfc7273c6b3fd2118da5
-rw-r--r-- | include/telephony/ril.h | 1 | ||||
-rwxr-xr-x | libril/ril_service.cpp | 12 |
2 files changed, 13 insertions, 0 deletions
diff --git a/include/telephony/ril.h b/include/telephony/ril.h index e1897772..75301466 100644 --- a/include/telephony/ril.h +++ b/include/telephony/ril.h @@ -107,6 +107,7 @@ extern "C" { #define MAX_BANDS 8 #define MAX_CHANNELS 32 #define MAX_RADIO_ACCESS_NETWORKS 8 +#define MAX_BROADCAST_SMS_CONFIG_INFO 25 typedef void * RIL_Token; diff --git a/libril/ril_service.cpp b/libril/ril_service.cpp index c6556722..c97b607a 100755 --- a/libril/ril_service.cpp +++ b/libril/ril_service.cpp @@ -1799,6 +1799,12 @@ Return<void> RadioImpl::setGsmBroadcastConfig(int32_t serial, } int num = configInfo.size(); + if (num > MAX_BROADCAST_SMS_CONFIG_INFO) { + RLOGE("setGsmBroadcastConfig: Invalid configInfo length %s", + requestToString(pRI->pCI->requestNumber)); + sendErrorResponse(pRI, RIL_E_INVALID_ARGUMENTS); + return Void(); + } RIL_GSM_BroadcastSmsConfigInfo gsmBci[num]; RIL_GSM_BroadcastSmsConfigInfo *gsmBciPtrs[num]; @@ -1846,6 +1852,12 @@ Return<void> RadioImpl::setCdmaBroadcastConfig(int32_t serial, } int num = configInfo.size(); + if (num > MAX_BROADCAST_SMS_CONFIG_INFO) { + RLOGE("setCdmaBroadcastConfig: Invalid configInfo length %s", + requestToString(pRI->pCI->requestNumber)); + sendErrorResponse(pRI, RIL_E_INVALID_ARGUMENTS); + return Void(); + } RIL_CDMA_BroadcastSmsConfigInfo cdmaBci[num]; RIL_CDMA_BroadcastSmsConfigInfo *cdmaBciPtrs[num]; |