From 535660a21fb6d0c9f36f055699619230bf683530 Mon Sep 17 00:00:00 2001 From: Sarah Chin Date: Mon, 3 Feb 2020 12:38:02 -0800 Subject: Fix OOB vulnerability in setGsm/CdmaSmsBroadcastConfigInfo Error if length > 25 Test: lunch cf_x86_phone-userdebug && mm Bug: 144046782 Change-Id: I18f9745174762a52fc20bfc7273c6b3fd2118da5 Merged-In: I18f9745174762a52fc20bfc7273c6b3fd2118da5 --- include/telephony/ril.h | 1 + libril/ril_service.cpp | 12 ++++++++++++ 2 files changed, 13 insertions(+) diff --git a/include/telephony/ril.h b/include/telephony/ril.h index e1897772..75301466 100644 --- a/include/telephony/ril.h +++ b/include/telephony/ril.h @@ -107,6 +107,7 @@ extern "C" { #define MAX_BANDS 8 #define MAX_CHANNELS 32 #define MAX_RADIO_ACCESS_NETWORKS 8 +#define MAX_BROADCAST_SMS_CONFIG_INFO 25 typedef void * RIL_Token; diff --git a/libril/ril_service.cpp b/libril/ril_service.cpp index c6556722..c97b607a 100755 --- a/libril/ril_service.cpp +++ b/libril/ril_service.cpp @@ -1799,6 +1799,12 @@ Return RadioImpl::setGsmBroadcastConfig(int32_t serial, } int num = configInfo.size(); + if (num > MAX_BROADCAST_SMS_CONFIG_INFO) { + RLOGE("setGsmBroadcastConfig: Invalid configInfo length %s", + requestToString(pRI->pCI->requestNumber)); + sendErrorResponse(pRI, RIL_E_INVALID_ARGUMENTS); + return Void(); + } RIL_GSM_BroadcastSmsConfigInfo gsmBci[num]; RIL_GSM_BroadcastSmsConfigInfo *gsmBciPtrs[num]; @@ -1846,6 +1852,12 @@ Return RadioImpl::setCdmaBroadcastConfig(int32_t serial, } int num = configInfo.size(); + if (num > MAX_BROADCAST_SMS_CONFIG_INFO) { + RLOGE("setCdmaBroadcastConfig: Invalid configInfo length %s", + requestToString(pRI->pCI->requestNumber)); + sendErrorResponse(pRI, RIL_E_INVALID_ARGUMENTS); + return Void(); + } RIL_CDMA_BroadcastSmsConfigInfo cdmaBci[num]; RIL_CDMA_BroadcastSmsConfigInfo *cdmaBciPtrs[num]; -- cgit v1.2.3