diff options
author | Shinru Han <shinruhan@google.com> | 2019-07-10 01:06:48 +0000 |
---|---|---|
committer | Android (Google) Code Review <android-gerrit@google.com> | 2019-07-10 01:06:48 +0000 |
commit | 9a12303e86a301ce111d534ecd59c188436ade78 (patch) | |
tree | c55b95cb6a3c8ce61517295d7d7d66d0427f9b89 | |
parent | 18b5c1a74fd77d53b0adc75b5651ea6be0070629 (diff) | |
parent | d89dce95f10157544b8fed372050a89abda86b61 (diff) | |
download | gps-9a12303e86a301ce111d534ecd59c188436ade78.tar.gz |
Merge "Integer overflow leading to a buffer overflow"
-rw-r--r-- | msm8998/gnss/Agps.cpp | 15 | ||||
-rw-r--r-- | msm8998/gnss/GnssAdapter.cpp | 14 |
2 files changed, 21 insertions, 8 deletions
diff --git a/msm8998/gnss/Agps.cpp b/msm8998/gnss/Agps.cpp index e671daa..f2fcdd9 100644 --- a/msm8998/gnss/Agps.cpp +++ b/msm8998/gnss/Agps.cpp @@ -452,19 +452,20 @@ void AgpsStateMachine::setAPN(char* apn, unsigned int len){ if (NULL != mAPN) { delete mAPN; + mAPN = NULL; } - if (apn == NULL || len <= 0) { + if (NULL == apn || len <= 0 || len > MAX_APN_LEN || strlen(apn) != len) { LOC_LOGD("Invalid apn len (%d) or null apn", len); mAPN = NULL; mAPNLen = 0; - } - - if (NULL != apn) { + } else { mAPN = new char[len+1]; - memcpy(mAPN, apn, len); - mAPN[len] = '\0'; - mAPNLen = len; + if (NULL != mAPN) { + memcpy(mAPN, apn, len); + mAPN[len] = '\0'; + mAPNLen = len; + } } } diff --git a/msm8998/gnss/GnssAdapter.cpp b/msm8998/gnss/GnssAdapter.cpp index fadf350..ac5f600 100644 --- a/msm8998/gnss/GnssAdapter.cpp +++ b/msm8998/gnss/GnssAdapter.cpp @@ -2543,6 +2543,12 @@ void GnssAdapter::dataConnOpenCommand( new char[apnLen + 1]), mApnLen(apnLen), mIpType(ipType) { LOC_LOGV("AgpsMsgAtlOpenSuccess"); + if (mApnName == nullptr) { + LOC_LOGE("%s] new allocation failed, fatal error.", __func__); + // Reporting the failure here + mAgpsManager->reportAtlClosed(mAgpsType); + return; + } memcpy(mApnName, apnName, apnLen); mApnName[apnLen] = 0; } @@ -2558,9 +2564,15 @@ void GnssAdapter::dataConnOpenCommand( mIpType); } }; - + // Added inital length checks for apnlen check to avoid security issues + // In case of failure reporting the same + if (NULL == apnName || apnLen <= 0 || apnLen > MAX_APN_LEN || (strlen(apnName) != apnLen)) { + LOC_LOGe("%s]: incorrect apnlen length or incorrect apnName", __func__); + mAgpsManager.reportAtlClosed(agpsType); + } else { sendMsg( new AgpsMsgAtlOpenSuccess( &mAgpsManager, (AGpsExtType)agpsType, apnName, apnLen, ipType)); + } } void GnssAdapter::dataConnClosedCommand(AGpsExtType agpsType){ |