diff options
Diffstat (limited to 'msm8998/gnss')
-rw-r--r-- | msm8998/gnss/Agps.cpp | 15 | ||||
-rw-r--r-- | msm8998/gnss/GnssAdapter.cpp | 14 |
2 files changed, 21 insertions, 8 deletions
diff --git a/msm8998/gnss/Agps.cpp b/msm8998/gnss/Agps.cpp index e671daa..f2fcdd9 100644 --- a/msm8998/gnss/Agps.cpp +++ b/msm8998/gnss/Agps.cpp @@ -452,19 +452,20 @@ void AgpsStateMachine::setAPN(char* apn, unsigned int len){ if (NULL != mAPN) { delete mAPN; + mAPN = NULL; } - if (apn == NULL || len <= 0) { + if (NULL == apn || len <= 0 || len > MAX_APN_LEN || strlen(apn) != len) { LOC_LOGD("Invalid apn len (%d) or null apn", len); mAPN = NULL; mAPNLen = 0; - } - - if (NULL != apn) { + } else { mAPN = new char[len+1]; - memcpy(mAPN, apn, len); - mAPN[len] = '\0'; - mAPNLen = len; + if (NULL != mAPN) { + memcpy(mAPN, apn, len); + mAPN[len] = '\0'; + mAPNLen = len; + } } } diff --git a/msm8998/gnss/GnssAdapter.cpp b/msm8998/gnss/GnssAdapter.cpp index fadf350..ac5f600 100644 --- a/msm8998/gnss/GnssAdapter.cpp +++ b/msm8998/gnss/GnssAdapter.cpp @@ -2543,6 +2543,12 @@ void GnssAdapter::dataConnOpenCommand( new char[apnLen + 1]), mApnLen(apnLen), mIpType(ipType) { LOC_LOGV("AgpsMsgAtlOpenSuccess"); + if (mApnName == nullptr) { + LOC_LOGE("%s] new allocation failed, fatal error.", __func__); + // Reporting the failure here + mAgpsManager->reportAtlClosed(mAgpsType); + return; + } memcpy(mApnName, apnName, apnLen); mApnName[apnLen] = 0; } @@ -2558,9 +2564,15 @@ void GnssAdapter::dataConnOpenCommand( mIpType); } }; - + // Added inital length checks for apnlen check to avoid security issues + // In case of failure reporting the same + if (NULL == apnName || apnLen <= 0 || apnLen > MAX_APN_LEN || (strlen(apnName) != apnLen)) { + LOC_LOGe("%s]: incorrect apnlen length or incorrect apnName", __func__); + mAgpsManager.reportAtlClosed(agpsType); + } else { sendMsg( new AgpsMsgAtlOpenSuccess( &mAgpsManager, (AGpsExtType)agpsType, apnName, apnLen, ipType)); + } } void GnssAdapter::dataConnClosedCommand(AGpsExtType agpsType){ |