diff options
| author | Pengquan Meng <mpq@google.com> | 2018-04-16 00:19:45 -0700 |
|---|---|---|
| committer | Rohit Yengisetty <rngy@google.com> | 2018-04-17 17:20:59 -0700 |
| commit | 0f1f3e94a8826becd5e2e65afffd15b31244ef9a (patch) | |
| tree | 8a00f7fbeede1ec2bbc9b261518a00642a7188d7 | |
| parent | 86dd3d2269bc264138cc314b349864dfd8cb115a (diff) | |
| download | telephony-0f1f3e94a8826becd5e2e65afffd15b31244ef9a.tar.gz | |
Fixed Invalid Pdu Issueandroid-7.1.1_r61android-7.1.1_r60android-7.1.1_r59nougat-mr1.8-releasenougat-mr1-security-release
The device may receive invalid sms pdu, i.e the pdu contins sms header
with an invalid seqNumber. This caused InboundSmsHandler crashed constantly.
This CL added the range check for the seqNumber to ensure the
InboundSmsHandler will not crash even if the seqNumber is invalid.
Bug: 72298611
Test: no test
Merged-In: I219961d63bbb3b9195cfea8b38a877a00af70522
Merged-In: Icf291c8530abdc2a528c5cf227cf00135281b899
Change-Id: I5e9ac1248bb87991547639b594b32a769c86eab3
(cherry picked from commit 4b938358de86296d9776fafa2b52da0ec6be05d0)
| -rw-r--r-- | src/java/com/android/internal/telephony/InboundSmsHandler.java | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/src/java/com/android/internal/telephony/InboundSmsHandler.java b/src/java/com/android/internal/telephony/InboundSmsHandler.java index a70aa26af4..d52e71b27f 100644 --- a/src/java/com/android/internal/telephony/InboundSmsHandler.java +++ b/src/java/com/android/internal/telephony/InboundSmsHandler.java @@ -67,6 +67,7 @@ import android.telephony.SmsMessage; import android.telephony.SubscriptionManager; import android.telephony.TelephonyManager; import android.text.TextUtils; +import android.util.EventLog; import com.android.internal.R; import com.android.internal.annotations.VisibleForTesting; @@ -729,6 +730,18 @@ public abstract class InboundSmsHandler extends StateMachine { byte[][] pdus; int destPort = tracker.getDestPort(); + // Do not process when the message count is invalid. + if (messageCount <= 0) { + EventLog.writeEvent( + 0x534e4554 /* snetTagId */, + "72298611" /* buganizer id */, + -1 /* uid */, + String.format( + "processMessagePart: invalid messageCount = %d", + messageCount)); + return false; + } + if (messageCount == 1) { // single-part message pdus = new byte[][]{tracker.getPdu()}; @@ -762,6 +775,22 @@ public abstract class InboundSmsHandler extends StateMachine { // subtract offset to convert sequence to 0-based array index int index = cursor.getInt(SEQUENCE_COLUMN) - tracker.getIndexOffset(); + // The invalid PDUs can be received and stored in the raw table. The range + // check ensures the process not crash even if the seqNumber in the + // UserDataHeader is invalid. + if (index >= pdus.length || index < 0) { + EventLog.writeEvent( + 0x534e4554 /* snetTagId */, + "72298611" /* buganizer id */, + -1 /* uid */, + String.format( + "processMessagePart: invalid seqNumber = %d, " + + "messageCount = %d", + index + tracker.getIndexOffset(), + messageCount)); + continue; + } + pdus[index] = HexDump.hexStringToByteArray(cursor.getString(PDU_COLUMN)); // Read the destination port from the first segment (needed for CDMA WAP PDU). |