xmm6260: Fix security vulnerability in pre-O rild code.cm-11.0

Remove wrong code for setup_data_call. Add check for max address for RIL_DIAL. Bug: 37896655 Test: Manual. (cherry picked from commit dda24c6557911aa1f4708abbd6b2f20f0e205b9e) Change-Id: Ie6742b10247e552343e3fcf8b2d2520722a0b24d
author: Sanket Padawe <sanketpadawe@google.com> 2018-02-10 22:40:59 +0100
committer: Tim Schumacher <timschumi@gmx.de> 2018-02-12 13:27:32 +0100
commit: 85fd87521f98c0af950f81910ce2652a8b041085 (patch)
tree: 2d7317d0e01ea1e1119299bd0d1b0e7e3a69198e
parent: bafa316951b14b02b38a4eda4d179472efa4cbd9 (diff)
download: android_hardware_samsung-cm-11.0.tar.gz
android_hardware_samsung-cm-11.0.tar.bz2
android_hardware_samsung-cm-11.0.zip
1 files changed, 7 insertions, 7 deletions
diff --git a/ril/xmm6260/libril/ril.cpp b/ril/xmm6260/libril/ril.cpp
index 42b19ff..661d48d 100755
--- a/ril/xmm6260/libril/ril.cpp
+++ b/ril/xmm6260/libril/ril.cpp
@@ -3062,11 +3062,11 @@ static void debugCallback (int fd, short flags, void *param) {
     int data;
     unsigned int qxdm_data[6];
     const char *deactData[1] = {"1"};
-    char *actData[1];
     RIL_Dial dialData;
     int hangupData[1] = {1};
     int number;
     char **args;
+    int MAX_DIAL_ADDRESS = 128;
 
     acceptFD = accept (fd,  (sockaddr *) &peeraddr, &socklen);
 
@@ -3148,12 +3148,6 @@ static void debugCallback (int fd, short flags, void *param) {
             // Set network selection automatic.
             issueLocalRequest(RIL_REQUEST_SET_NETWORK_SELECTION_AUTOMATIC, NULL, 0);
             break;
-        case 6:
-            RLOGI("Debug port: Setup Data Call, Apn :%s\n", args[1]);
-            actData[0] = args[1];
-            issueLocalRequest(RIL_REQUEST_SETUP_DATA_CALL, &actData,
-                              sizeof(actData));
-            break;
         case 7:
             RLOGI("Debug port: Deactivate Data Call");
             issueLocalRequest(RIL_REQUEST_DEACTIVATE_DATA_CALL, &deactData,
@@ -3162,6 +3156,12 @@ static void debugCallback (int fd, short flags, void *param) {
         case 8:
             RLOGI("Debug port: Dial Call");
             dialData.clir = 0;
+            if (strlen(args[1]) > MAX_DIAL_ADDRESS) {
+                RLOGE("Debug port: Error calling Dial");
+                freeDebugCallbackArgs(number, args);
+                close(acceptFD);
+                return;
+            }
             dialData.address = args[1];
             issueLocalRequest(RIL_REQUEST_DIAL, &dialData, sizeof(dialData));
             break;
author	Sanket Padawe <sanketpadawe@google.com>	2018-02-10 22:40:59 +0100
committer	Tim Schumacher <timschumi@gmx.de>	2018-02-12 13:27:32 +0100
commit	85fd87521f98c0af950f81910ce2652a8b041085 (patch)
tree	2d7317d0e01ea1e1119299bd0d1b0e7e3a69198e
parent	bafa316951b14b02b38a4eda4d179472efa4cbd9 (diff)
download	android_hardware_samsung-cm-11.0.tar.gz android_hardware_samsung-cm-11.0.tar.bz2 android_hardware_samsung-cm-11.0.zip