summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--include/telephony/ril.h1
-rwxr-xr-xlibril/ril_service.cpp12
2 files changed, 13 insertions, 0 deletions
diff --git a/include/telephony/ril.h b/include/telephony/ril.h
index e1897772..75301466 100644
--- a/include/telephony/ril.h
+++ b/include/telephony/ril.h
@@ -107,6 +107,7 @@ extern "C" {
#define MAX_BANDS 8
#define MAX_CHANNELS 32
#define MAX_RADIO_ACCESS_NETWORKS 8
+#define MAX_BROADCAST_SMS_CONFIG_INFO 25
typedef void * RIL_Token;
diff --git a/libril/ril_service.cpp b/libril/ril_service.cpp
index c6556722..c97b607a 100755
--- a/libril/ril_service.cpp
+++ b/libril/ril_service.cpp
@@ -1799,6 +1799,12 @@ Return<void> RadioImpl::setGsmBroadcastConfig(int32_t serial,
}
int num = configInfo.size();
+ if (num > MAX_BROADCAST_SMS_CONFIG_INFO) {
+ RLOGE("setGsmBroadcastConfig: Invalid configInfo length %s",
+ requestToString(pRI->pCI->requestNumber));
+ sendErrorResponse(pRI, RIL_E_INVALID_ARGUMENTS);
+ return Void();
+ }
RIL_GSM_BroadcastSmsConfigInfo gsmBci[num];
RIL_GSM_BroadcastSmsConfigInfo *gsmBciPtrs[num];
@@ -1846,6 +1852,12 @@ Return<void> RadioImpl::setCdmaBroadcastConfig(int32_t serial,
}
int num = configInfo.size();
+ if (num > MAX_BROADCAST_SMS_CONFIG_INFO) {
+ RLOGE("setCdmaBroadcastConfig: Invalid configInfo length %s",
+ requestToString(pRI->pCI->requestNumber));
+ sendErrorResponse(pRI, RIL_E_INVALID_ARGUMENTS);
+ return Void();
+ }
RIL_CDMA_BroadcastSmsConfigInfo cdmaBci[num];
RIL_CDMA_BroadcastSmsConfigInfo *cdmaBciPtrs[num];
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-13 11:29:22 +0000