diff options
| -rw-r--r-- | src/java/com/android/internal/telephony/InboundSmsHandler.java | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/src/java/com/android/internal/telephony/InboundSmsHandler.java b/src/java/com/android/internal/telephony/InboundSmsHandler.java index 7637e6e6b..316c66bd6 100644 --- a/src/java/com/android/internal/telephony/InboundSmsHandler.java +++ b/src/java/com/android/internal/telephony/InboundSmsHandler.java @@ -57,6 +57,7 @@ import java.util.Arrays; import java.util.Collections; import java.util.List; import java.util.Map; +import android.util.EventLog; import static android.telephony.TelephonyManager.PHONE_TYPE_CDMA; @@ -660,6 +661,19 @@ public abstract class InboundSmsHandler extends StateMachine { byte[][] pdus; int destPort = tracker.getDestPort(); + // Do not process when the message count is invalid. + if (messageCount <= 0) { + EventLog.writeEvent( + 0x534e4554 /* snetTagId */, + "72298611" /* buganizer id */, + -1 /* uid */, + String.format( + "processMessagePart: invalid messageCount = %d", + messageCount)); + + return false; + } + if (messageCount == 1) { // single-part message pdus = new byte[][]{tracker.getPdu()}; @@ -693,6 +707,21 @@ public abstract class InboundSmsHandler extends StateMachine { // subtract offset to convert sequence to 0-based array index int index = cursor.getInt(SEQUENCE_COLUMN) - tracker.getIndexOffset(); + // The invalid PDUs can be received and stored in the raw table. The range + // check ensures the process not crash even if the seqNumber in the + // UserDataHeader is invalid. + if (index >= pdus.length || index < 0) { + EventLog.writeEvent( + 0x534e4554 /* snetTagId */, + "72298611" /* buganizer id */, + -1 /* uid */, + String.format( + "processMessagePart: invalid seqNumber = %d, messageCount = %d", + index + tracker.getIndexOffset(), + messageCount)); + continue; + } + pdus[index] = HexDump.hexStringToByteArray(cursor.getString(PDU_COLUMN)); // Read the destination port from the first segment (needed for CDMA WAP PDU). |