diff options
| author | android-build-team Robot <android-build-team-robot@google.com> | 2018-06-04 23:56:42 +0000 |
|---|---|---|
| committer | android-build-team Robot <android-build-team-robot@google.com> | 2018-06-04 23:56:42 +0000 |
| commit | 0965a02f510c4c1b82a02f9760dd66dff25f3447 (patch) | |
| tree | b43916a3319f31a88b2067ffb83ad3560e0cd683 | |
| parent | c5823fe639049330e33bfaa2c84b4a9ba68bd6e7 (diff) | |
| parent | e4e76c7c3bdfb4fc14c756e9cdf88a79da349176 (diff) | |
| download | telephony-oreo-m4-s9-release.tar.gz | |
Merge cherrypicks of [4252776, 4252777, 4252778, 4252779, 4253819, 4253820, 4256261, 4256262, 4254470, 4254471, 4256281, 4255145, 4255146, 4255252, 4255253, 4255254, 4255255, 4252780, 4255147, 4252862, 4256148, 4256149, 4256150, 4256151, 4256152, 4256153, 4256154, 4255256, 4255257, 4255258, 4255259, 4253843, 4253844, 4253845, 4253846, 4253847, 4253848, 4253849, 4256156, 4256269, 4256272, 4256273, 4256401, 4255338, 4255339, 4256422, 4256402, 4256157, 4256223, 4256224, 4256158, 4256159, 4256160, 4256441, 4256442, 4256443, 4256444, 4256445, 4256446, 4256447, 4256448, 4256449, 4256450, 4256451, 4254472, 4256285, 4256403, 4256274, 4256424, 4256452, 4256275, 4256276, 4255153, 4253850, 4253851, 4253852, 4253853, 4253854] into sparse-4732991-L34000000179248081android-8.1.0_r39oreo-m4-s9-release
Change-Id: I4c5eb221e6610374495119caa5c642ddbf02ed32
| -rw-r--r-- | src/java/com/android/internal/telephony/InboundSmsHandler.java | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/src/java/com/android/internal/telephony/InboundSmsHandler.java b/src/java/com/android/internal/telephony/InboundSmsHandler.java index 2d663cd713..99fd965b63 100644 --- a/src/java/com/android/internal/telephony/InboundSmsHandler.java +++ b/src/java/com/android/internal/telephony/InboundSmsHandler.java @@ -74,6 +74,7 @@ import java.util.Arrays; import java.util.HashMap; import java.util.List; import java.util.Map; +import android.util.EventLog; /** * This class broadcasts incoming SMS messages to interested apps after storing them in @@ -803,6 +804,19 @@ public abstract class InboundSmsHandler extends StateMachine { int destPort = tracker.getDestPort(); boolean block = false; + // Do not process when the message count is invalid. + if (messageCount <= 0) { + EventLog.writeEvent( + 0x534e4554 /* snetTagId */, + "72298611" /* buganizer id */, + -1 /* uid */, + String.format( + "processMessagePart: invalid messageCount = %d", + messageCount)); + + return false; + } + if (messageCount == 1) { // single-part message pdus = new byte[][]{tracker.getPdu()}; @@ -838,6 +852,21 @@ public abstract class InboundSmsHandler extends StateMachine { int index = cursor.getInt(PDU_SEQUENCE_PORT_PROJECTION_INDEX_MAPPING .get(SEQUENCE_COLUMN)) - tracker.getIndexOffset(); + // The invalid PDUs can be received and stored in the raw table. The range + // check ensures the process not crash even if the seqNumber in the + // UserDataHeader is invalid. + if (index >= pdus.length || index < 0) { + EventLog.writeEvent( + 0x534e4554 /* snetTagId */, + "72298611" /* buganizer id */, + -1 /* uid */, + String.format( + "processMessagePart: invalid seqNumber = %d, messageCount = %d", + index + tracker.getIndexOffset(), + messageCount)); + continue; + } + pdus[index] = HexDump.hexStringToByteArray(cursor.getString( PDU_SEQUENCE_PORT_PROJECTION_INDEX_MAPPING.get(PDU_COLUMN))); |