diff options
| author | android-build-team Robot <android-build-team-robot@google.com> | 2018-05-08 23:35:02 +0000 |
|---|---|---|
| committer | android-build-team Robot <android-build-team-robot@google.com> | 2018-05-08 23:35:02 +0000 |
| commit | d36d15d8d8c1fa4178c10c9cbb68a8e7b9dec375 (patch) | |
| tree | b43916a3319f31a88b2067ffb83ad3560e0cd683 | |
| parent | c5823fe639049330e33bfaa2c84b4a9ba68bd6e7 (diff) | |
| parent | a42870e1df7dbf384aa1d7a02584eb755e821417 (diff) | |
| download | telephony-oreo-m4-s6-release.tar.gz | |
Merge cherrypicks of [4027695, 4027696, 4025411, 4025412, 4026839, 4025429, 4025430, 4025346, 4025347, 4025348, 4025413, 4025414, 4027656, 4027657, 4027658, 4027659, 4027097, 4027098, 4027099, 4027100, 4027101, 4027715, 4027716, 4025431, 4025349, 4027697, 4027698, 4027699, 4027700, 4027701, 4027702, 4027703, 4027704, 4027706, 4025432, 4025433, 4027708, 4027709, 4026841, 4027662, 4027664, 4027666] into sparse-4732991-L45700000171084049android-8.1.0_r32oreo-m4-s6-release
Change-Id: Ibf2a70824260e26bb78200ab60862bf765477a10
| -rw-r--r-- | src/java/com/android/internal/telephony/InboundSmsHandler.java | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/src/java/com/android/internal/telephony/InboundSmsHandler.java b/src/java/com/android/internal/telephony/InboundSmsHandler.java index 2d663cd713..99fd965b63 100644 --- a/src/java/com/android/internal/telephony/InboundSmsHandler.java +++ b/src/java/com/android/internal/telephony/InboundSmsHandler.java @@ -74,6 +74,7 @@ import java.util.Arrays; import java.util.HashMap; import java.util.List; import java.util.Map; +import android.util.EventLog; /** * This class broadcasts incoming SMS messages to interested apps after storing them in @@ -803,6 +804,19 @@ public abstract class InboundSmsHandler extends StateMachine { int destPort = tracker.getDestPort(); boolean block = false; + // Do not process when the message count is invalid. + if (messageCount <= 0) { + EventLog.writeEvent( + 0x534e4554 /* snetTagId */, + "72298611" /* buganizer id */, + -1 /* uid */, + String.format( + "processMessagePart: invalid messageCount = %d", + messageCount)); + + return false; + } + if (messageCount == 1) { // single-part message pdus = new byte[][]{tracker.getPdu()}; @@ -838,6 +852,21 @@ public abstract class InboundSmsHandler extends StateMachine { int index = cursor.getInt(PDU_SEQUENCE_PORT_PROJECTION_INDEX_MAPPING .get(SEQUENCE_COLUMN)) - tracker.getIndexOffset(); + // The invalid PDUs can be received and stored in the raw table. The range + // check ensures the process not crash even if the seqNumber in the + // UserDataHeader is invalid. + if (index >= pdus.length || index < 0) { + EventLog.writeEvent( + 0x534e4554 /* snetTagId */, + "72298611" /* buganizer id */, + -1 /* uid */, + String.format( + "processMessagePart: invalid seqNumber = %d, messageCount = %d", + index + tracker.getIndexOffset(), + messageCount)); + continue; + } + pdus[index] = HexDump.hexStringToByteArray(cursor.getString( PDU_SEQUENCE_PORT_PROJECTION_INDEX_MAPPING.get(PDU_COLUMN))); |