diff options
author | Sanket Padawe <sanketpadawe@google.com> | 2017-08-10 05:01:05 +0000 |
---|---|---|
committer | android-build-merger <android-build-merger@google.com> | 2017-08-10 05:01:05 +0000 |
commit | 6c6d404fb53d13443a76efa0873e7c58366c35b2 (patch) | |
tree | 61d5d795be9ea0606033f38cdc68fb7940b5f490 | |
parent | 77142523ff4b74c5db4a32c351d1d4d9331caaac (diff) | |
parent | a5eeaef8ee4f08dfca1e3a4c16d9cf9d93fb3963 (diff) | |
download | android_hardware_ril-6c6d404fb53d13443a76efa0873e7c58366c35b2.tar.gz android_hardware_ril-6c6d404fb53d13443a76efa0873e7c58366c35b2.tar.bz2 android_hardware_ril-6c6d404fb53d13443a76efa0873e7c58366c35b2.zip |
Merge "DO NOT MERGE Fix security vulnerability in pre-O rild code." into nyc-dev am: f0cbbbcdac am: ab379831bc
am: a5eeaef8ee
Change-Id: Ib9d670d0c8aae05dace42e4fe6cf448a30735ea9
-rw-r--r-- | libril/ril.cpp | 14 |
1 files changed, 7 insertions, 7 deletions
diff --git a/libril/ril.cpp b/libril/ril.cpp index d7744c0..0803563 100644 --- a/libril/ril.cpp +++ b/libril/ril.cpp @@ -4419,12 +4419,12 @@ static void debugCallback (int fd, short flags, void *param) { int data; unsigned int qxdm_data[6]; const char *deactData[1] = {"1"}; - char *actData[1]; RIL_Dial dialData; int hangupData[1] = {1}; int number; char **args; RIL_SOCKET_ID socket_id = RIL_SOCKET_1; + int MAX_DIAL_ADDRESS = 128; int sim_id = 0; RLOGI("debugCallback for socket %s", rilSocketIdToString(socket_id)); @@ -4571,12 +4571,6 @@ static void debugCallback (int fd, short flags, void *param) { // Set network selection automatic. issueLocalRequest(RIL_REQUEST_SET_NETWORK_SELECTION_AUTOMATIC, NULL, 0, socket_id); break; - case 6: - RLOGI("Debug port: Setup Data Call, Apn :%s\n", args[1]); - actData[0] = args[1]; - issueLocalRequest(RIL_REQUEST_SETUP_DATA_CALL, &actData, - sizeof(actData), socket_id); - break; case 7: RLOGI("Debug port: Deactivate Data Call"); issueLocalRequest(RIL_REQUEST_DEACTIVATE_DATA_CALL, &deactData, @@ -4585,6 +4579,12 @@ static void debugCallback (int fd, short flags, void *param) { case 8: RLOGI("Debug port: Dial Call"); dialData.clir = 0; + if (strlen(args[1]) > MAX_DIAL_ADDRESS) { + RLOGE("Debug port: Error calling Dial"); + freeDebugCallbackArgs(number, args); + close(acceptFD); + return; + } dialData.address = args[1]; issueLocalRequest(RIL_REQUEST_DIAL, &dialData, sizeof(dialData), socket_id); break; |