diff options
author | Sanket Padawe <sanketpadawe@google.com> | 2017-07-13 14:19:28 -0700 |
---|---|---|
committer | Sanket Padawe <sanketpadawe@google.com> | 2017-07-20 21:37:55 +0000 |
commit | bb6567cbaf6a8b46a47b1f471ee5bd5f4699fbdf (patch) | |
tree | 692569e5922989d6a6ca8bd351284b46a112acd5 | |
parent | 865ce3b4a2ba0b3a31421ca671f4d6c5595f8690 (diff) | |
download | android_hardware_ril-bb6567cbaf6a8b46a47b1f471ee5bd5f4699fbdf.tar.gz android_hardware_ril-bb6567cbaf6a8b46a47b1f471ee5bd5f4699fbdf.tar.bz2 android_hardware_ril-bb6567cbaf6a8b46a47b1f471ee5bd5f4699fbdf.zip |
DO NOT MERGE
Fix security vulnerability in pre-O rild code.
Remove wrong code for setup_data_call.
Add check for max address for RIL_DIAL.
Bug: 37896655
Test: Manual.
Change-Id: I05c027140ae828a2653794fcdd94e1b1a130941b
-rw-r--r-- | libril/ril.cpp | 14 |
1 files changed, 7 insertions, 7 deletions
diff --git a/libril/ril.cpp b/libril/ril.cpp index 1957939..0c8fd27 100644 --- a/libril/ril.cpp +++ b/libril/ril.cpp @@ -2927,11 +2927,11 @@ static void debugCallback (int fd, short flags, void *param) { int data; unsigned int qxdm_data[6]; const char *deactData[1] = {"1"}; - char *actData[1]; RIL_Dial dialData; int hangupData[1] = {1}; int number; char **args; + int MAX_DIAL_ADDRESS = 128; acceptFD = accept (fd, (sockaddr *) &peeraddr, &socklen); @@ -3013,12 +3013,6 @@ static void debugCallback (int fd, short flags, void *param) { // Set network selection automatic. issueLocalRequest(RIL_REQUEST_SET_NETWORK_SELECTION_AUTOMATIC, NULL, 0); break; - case 6: - RLOGI("Debug port: Setup Data Call, Apn :%s\n", args[1]); - actData[0] = args[1]; - issueLocalRequest(RIL_REQUEST_SETUP_DATA_CALL, &actData, - sizeof(actData)); - break; case 7: RLOGI("Debug port: Deactivate Data Call"); issueLocalRequest(RIL_REQUEST_DEACTIVATE_DATA_CALL, &deactData, @@ -3027,6 +3021,12 @@ static void debugCallback (int fd, short flags, void *param) { case 8: RLOGI("Debug port: Dial Call"); dialData.clir = 0; + if (strlen(args[1]) > MAX_DIAL_ADDRESS) { + RLOGE("Debug port: Error calling Dial"); + freeDebugCallbackArgs(number, args); + close(acceptFD); + return; + } dialData.address = args[1]; issueLocalRequest(RIL_REQUEST_DIAL, &dialData, sizeof(dialData)); break; |