Merge cherrypicks of [4027705, 4027707, 4027735, 4027736, 4026840, 4025434, 4027755, 4025350, 4025351, 4025352, 4027737, 4027738, 4027660, 4027661, 4027663, 4027665, 4027102, 4027103, 4027104, 4027105, 4027106, 4027717, 4027718, 4027756, 4025353, 4027710, 4027711, 4027712, 4027713, 4027714, 4027795, 4027796, 4027797, 4027798, 4027757, 4027758, 4027799, 4027800, 4026842, 4027667, 4027668, 4027669] into sparse-4732990-L09800000171085564android-8.1.0_r30 oreo-m2-s3-release

Change-Id: Ie9eef60df008f8dfa831884001ef02fd9b384306
author: android-build-team Robot <android-build-team-robot@google.com> 2018-05-08 23:36:23 +0000
committer: android-build-team Robot <android-build-team-robot@google.com> 2018-05-08 23:36:23 +0000
commit: 06bddd321a9802b772a76c3ae31a165a52833d93 (patch)
tree: b43916a3319f31a88b2067ffb83ad3560e0cd683
parent: 1f56232eeb266696121cc78e7c81bfb3c8550a56 (diff)
parent: ee3963c3284a7a28a9fa466c1a897136050cdd99 (diff)
download: telephony-oreo-m2-s3-release.tar.gz
1 files changed, 29 insertions, 0 deletions
diff --git a/src/java/com/android/internal/telephony/InboundSmsHandler.java b/src/java/com/android/internal/telephony/InboundSmsHandler.java
index 2d663cd713..99fd965b63 100644
--- a/src/java/com/android/internal/telephony/InboundSmsHandler.java
+++ b/src/java/com/android/internal/telephony/InboundSmsHandler.java
@@ -74,6 +74,7 @@ import java.util.Arrays;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import android.util.EventLog;
 
 /**
  * This class broadcasts incoming SMS messages to interested apps after storing them in
@@ -803,6 +804,19 @@ public abstract class InboundSmsHandler extends StateMachine {
         int destPort = tracker.getDestPort();
         boolean block = false;
 
+        // Do not process when the message count is invalid.
+        if (messageCount <= 0) {
+            EventLog.writeEvent(
+                    0x534e4554 /* snetTagId */,
+                    "72298611" /* buganizer id */,
+                    -1 /* uid */,
+                    String.format(
+                            "processMessagePart: invalid messageCount = %d",
+                            messageCount));
+
+            return false;
+        }
+
         if (messageCount == 1) {
             // single-part message
             pdus = new byte[][]{tracker.getPdu()};
@@ -838,6 +852,21 @@ public abstract class InboundSmsHandler extends StateMachine {
                     int index = cursor.getInt(PDU_SEQUENCE_PORT_PROJECTION_INDEX_MAPPING
                             .get(SEQUENCE_COLUMN)) - tracker.getIndexOffset();
 
+                    // The invalid PDUs can be received and stored in the raw table. The range
+                    // check ensures the process not crash even if the seqNumber in the
+                    // UserDataHeader is invalid.
+                    if (index >= pdus.length || index < 0) {
+                        EventLog.writeEvent(
+                                0x534e4554 /* snetTagId */,
+                                "72298611" /* buganizer id */,
+                                -1 /* uid */,
+                                String.format(
+                                        "processMessagePart: invalid seqNumber = %d, messageCount = %d",
+                                        index + tracker.getIndexOffset(),
+                                        messageCount));
+                        continue;
+                    }
+
                     pdus[index] = HexDump.hexStringToByteArray(cursor.getString(
                             PDU_SEQUENCE_PORT_PROJECTION_INDEX_MAPPING.get(PDU_COLUMN)));
author	android-build-team Robot <android-build-team-robot@google.com>	2018-05-08 23:36:23 +0000
committer	android-build-team Robot <android-build-team-robot@google.com>	2018-05-08 23:36:23 +0000
commit	06bddd321a9802b772a76c3ae31a165a52833d93 (patch)
tree	b43916a3319f31a88b2067ffb83ad3560e0cd683
parent	1f56232eeb266696121cc78e7c81bfb3c8550a56 (diff)
parent	ee3963c3284a7a28a9fa466c1a897136050cdd99 (diff)
download	telephony-oreo-m2-s3-release.tar.gz