diff options
| author | android-build-team Robot <android-build-team-robot@google.com> | 2018-06-11 22:32:46 +0000 |
|---|---|---|
| committer | android-build-team Robot <android-build-team-robot@google.com> | 2018-06-11 22:32:46 +0000 |
| commit | 3511fd4c5abed929d45da09b6e22fd5f02259345 (patch) | |
| tree | b43916a3319f31a88b2067ffb83ad3560e0cd683 | |
| parent | c5823fe639049330e33bfaa2c84b4a9ba68bd6e7 (diff) | |
| parent | c5ff0942b18af06e813ef3882d334f31279a2e75 (diff) | |
| download | telephony-oreo-m4-s10-release.tar.gz | |
Merge cherrypicks of [4314173, 4314174, 4314175, 4314176, 4314471, 4314472, 4314473, 4314474, 4314475, 4314645, 4314646, 4314193, 4314476, 4314477, 4315350, 4315351, 4315352, 4315353, 4315354, 4314478, 4315430, 4314194, 4314195, 4314196, 4314197, 4314198, 4314199, 4314200, 4315093, 4315094, 4315095, 4315096, 4315097, 4315098, 4315099, 4315100, 4315501, 4315502, 4315503, 4314177, 4315431, 4315432, 4315433, 4315434, 4314178, 4314179, 4315355, 4315435, 4315382, 4315403, 4315404, 4315436, 4315437, 4315438, 4315439, 4315440, 4315521, 4315522, 4315523, 4315524, 4315525, 4315526, 4315527, 4315528, 4315529, 4314035, 4314230, 4315356, 4315530, 4315531, 4315471, 4315357, 4315358, 4314479, 4315532, 4315533, 4315534, 4315535, 4315536] into sparse-4732991-L06700000181398573android-8.1.0_r40oreo-m4-s10-release
Change-Id: Id09c375c15738f765772609ece26ab4675bf0747
| -rw-r--r-- | src/java/com/android/internal/telephony/InboundSmsHandler.java | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/src/java/com/android/internal/telephony/InboundSmsHandler.java b/src/java/com/android/internal/telephony/InboundSmsHandler.java index 2d663cd713..99fd965b63 100644 --- a/src/java/com/android/internal/telephony/InboundSmsHandler.java +++ b/src/java/com/android/internal/telephony/InboundSmsHandler.java @@ -74,6 +74,7 @@ import java.util.Arrays; import java.util.HashMap; import java.util.List; import java.util.Map; +import android.util.EventLog; /** * This class broadcasts incoming SMS messages to interested apps after storing them in @@ -803,6 +804,19 @@ public abstract class InboundSmsHandler extends StateMachine { int destPort = tracker.getDestPort(); boolean block = false; + // Do not process when the message count is invalid. + if (messageCount <= 0) { + EventLog.writeEvent( + 0x534e4554 /* snetTagId */, + "72298611" /* buganizer id */, + -1 /* uid */, + String.format( + "processMessagePart: invalid messageCount = %d", + messageCount)); + + return false; + } + if (messageCount == 1) { // single-part message pdus = new byte[][]{tracker.getPdu()}; @@ -838,6 +852,21 @@ public abstract class InboundSmsHandler extends StateMachine { int index = cursor.getInt(PDU_SEQUENCE_PORT_PROJECTION_INDEX_MAPPING .get(SEQUENCE_COLUMN)) - tracker.getIndexOffset(); + // The invalid PDUs can be received and stored in the raw table. The range + // check ensures the process not crash even if the seqNumber in the + // UserDataHeader is invalid. + if (index >= pdus.length || index < 0) { + EventLog.writeEvent( + 0x534e4554 /* snetTagId */, + "72298611" /* buganizer id */, + -1 /* uid */, + String.format( + "processMessagePart: invalid seqNumber = %d, messageCount = %d", + index + tracker.getIndexOffset(), + messageCount)); + continue; + } + pdus[index] = HexDump.hexStringToByteArray(cursor.getString( PDU_SEQUENCE_PORT_PROJECTION_INDEX_MAPPING.get(PDU_COLUMN))); |