Merge "Integer overflow leading to a buffer overflow"

author: Shinru Han <shinruhan@google.com> 2019-07-10 01:06:48 +0000
committer: Android (Google) Code Review <android-gerrit@google.com> 2019-07-10 01:06:48 +0000
commit: 9a12303e86a301ce111d534ecd59c188436ade78 (patch)
tree: c55b95cb6a3c8ce61517295d7d7d66d0427f9b89
parent: 18b5c1a74fd77d53b0adc75b5651ea6be0070629 (diff)
parent: d89dce95f10157544b8fed372050a89abda86b61 (diff)
download: gps-9a12303e86a301ce111d534ecd59c188436ade78.tar.gz
2 files changed, 21 insertions, 8 deletions
diff --git a/msm8998/gnss/Agps.cpp b/msm8998/gnss/Agps.cpp
index e671daa..f2fcdd9 100644
--- a/msm8998/gnss/Agps.cpp
+++ b/msm8998/gnss/Agps.cpp
@@ -452,19 +452,20 @@ void AgpsStateMachine::setAPN(char* apn, unsigned int len){
 
     if (NULL != mAPN) {
         delete mAPN;
+        mAPN  = NULL;
     }
 
-    if (apn == NULL || len <= 0) {
+    if (NULL == apn || len <= 0 || len > MAX_APN_LEN || strlen(apn) != len) {
         LOC_LOGD("Invalid apn len (%d) or null apn", len);
         mAPN = NULL;
         mAPNLen = 0;
-    }
-
-    if (NULL != apn) {
+    } else {
         mAPN = new char[len+1];
-        memcpy(mAPN, apn, len);
-        mAPN[len] = '\0';
-        mAPNLen = len;
+        if (NULL != mAPN) {
+            memcpy(mAPN, apn, len);
+            mAPN[len] = '\0';
+            mAPNLen = len;
+        }
     }
 }
 
diff --git a/msm8998/gnss/GnssAdapter.cpp b/msm8998/gnss/GnssAdapter.cpp
index fadf350..ac5f600 100644
--- a/msm8998/gnss/GnssAdapter.cpp
+++ b/msm8998/gnss/GnssAdapter.cpp
@@ -2543,6 +2543,12 @@ void GnssAdapter::dataConnOpenCommand(
                         new char[apnLen + 1]), mApnLen(apnLen), mIpType(ipType) {
 
             LOC_LOGV("AgpsMsgAtlOpenSuccess");
+            if (mApnName == nullptr) {
+                LOC_LOGE("%s] new allocation failed, fatal error.", __func__);
+                // Reporting the failure here
+                mAgpsManager->reportAtlClosed(mAgpsType);
+                return;
+            }
             memcpy(mApnName, apnName, apnLen);
             mApnName[apnLen] = 0;
         }
@@ -2558,9 +2564,15 @@ void GnssAdapter::dataConnOpenCommand(
                     mIpType);
         }
     };
-
+    // Added inital length checks for apnlen check to avoid security issues
+    // In case of failure reporting the same
+    if (NULL == apnName || apnLen <= 0 || apnLen > MAX_APN_LEN || (strlen(apnName) != apnLen)) {
+        LOC_LOGe("%s]: incorrect apnlen length or incorrect apnName", __func__);
+        mAgpsManager.reportAtlClosed(agpsType);
+    } else {
     sendMsg( new AgpsMsgAtlOpenSuccess(
             &mAgpsManager, (AGpsExtType)agpsType, apnName, apnLen, ipType));
+    }
 }
 
 void GnssAdapter::dataConnClosedCommand(AGpsExtType agpsType){
author	Shinru Han <shinruhan@google.com>	2019-07-10 01:06:48 +0000
committer	Android (Google) Code Review <android-gerrit@google.com>	2019-07-10 01:06:48 +0000
commit	9a12303e86a301ce111d534ecd59c188436ade78 (patch)
tree	c55b95cb6a3c8ce61517295d7d7d66d0427f9b89
parent	18b5c1a74fd77d53b0adc75b5651ea6be0070629 (diff)
parent	d89dce95f10157544b8fed372050a89abda86b61 (diff)
download	gps-9a12303e86a301ce111d534ecd59c188436ade78.tar.gz