diff options
| author | android-build-team Robot <android-build-team-robot@google.com> | 2018-06-11 22:25:35 +0000 |
|---|---|---|
| committer | android-build-team Robot <android-build-team-robot@google.com> | 2018-06-11 22:25:35 +0000 |
| commit | 892f826e184e95949bd8ad661df79e8f9c9f0b3c (patch) | |
| tree | b43916a3319f31a88b2067ffb83ad3560e0cd683 | |
| parent | 1f56232eeb266696121cc78e7c81bfb3c8550a56 (diff) | |
| parent | f708108f763668e646f8c5015c5d392ecc297b84 (diff) | |
| download | telephony-oreo-m2-s5-release.tar.gz | |
Merge cherrypicks of [4314166, 4314167, 4314168, 4314169, 4314462, 4314463, 4314464, 4314465, 4314466, 4314643, 4314644, 4314185, 4314467, 4314468, 4315341, 4315342, 4315343, 4315344, 4315345, 4314469, 4314283, 4314186, 4314187, 4314188, 4314189, 4314190, 4314191, 4314192, 4315082, 4315083, 4315084, 4315085, 4315086, 4315087, 4315088, 4315089, 4315090, 4315091, 4315092, 4314170, 4314284, 4314285, 4314286, 4314287, 4314171, 4314172, 4315346, 4314288, 4315381, 4315401, 4315402, 4314289, 4314290, 4314291, 4314292, 4314293, 4314294, 4314295, 4314296, 4314297, 4314298, 4314299, 4314300, 4315421, 4315422, 4314034, 4314229, 4315347, 4315423, 4315424, 4315314, 4315348, 4315349, 4314470, 4315425, 4315426, 4315427, 4315428, 4315429] into sparse-4732990-L02900000181396755android-8.1.0_r36oreo-m2-s5-release
Change-Id: If01f5522debf987e9af968ceecc68f925943987f
| -rw-r--r-- | src/java/com/android/internal/telephony/InboundSmsHandler.java | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/src/java/com/android/internal/telephony/InboundSmsHandler.java b/src/java/com/android/internal/telephony/InboundSmsHandler.java index 2d663cd713..99fd965b63 100644 --- a/src/java/com/android/internal/telephony/InboundSmsHandler.java +++ b/src/java/com/android/internal/telephony/InboundSmsHandler.java @@ -74,6 +74,7 @@ import java.util.Arrays; import java.util.HashMap; import java.util.List; import java.util.Map; +import android.util.EventLog; /** * This class broadcasts incoming SMS messages to interested apps after storing them in @@ -803,6 +804,19 @@ public abstract class InboundSmsHandler extends StateMachine { int destPort = tracker.getDestPort(); boolean block = false; + // Do not process when the message count is invalid. + if (messageCount <= 0) { + EventLog.writeEvent( + 0x534e4554 /* snetTagId */, + "72298611" /* buganizer id */, + -1 /* uid */, + String.format( + "processMessagePart: invalid messageCount = %d", + messageCount)); + + return false; + } + if (messageCount == 1) { // single-part message pdus = new byte[][]{tracker.getPdu()}; @@ -838,6 +852,21 @@ public abstract class InboundSmsHandler extends StateMachine { int index = cursor.getInt(PDU_SEQUENCE_PORT_PROJECTION_INDEX_MAPPING .get(SEQUENCE_COLUMN)) - tracker.getIndexOffset(); + // The invalid PDUs can be received and stored in the raw table. The range + // check ensures the process not crash even if the seqNumber in the + // UserDataHeader is invalid. + if (index >= pdus.length || index < 0) { + EventLog.writeEvent( + 0x534e4554 /* snetTagId */, + "72298611" /* buganizer id */, + -1 /* uid */, + String.format( + "processMessagePart: invalid seqNumber = %d, messageCount = %d", + index + tracker.getIndexOffset(), + messageCount)); + continue; + } + pdus[index] = HexDump.hexStringToByteArray(cursor.getString( PDU_SEQUENCE_PORT_PROJECTION_INDEX_MAPPING.get(PDU_COLUMN))); |