diff options
author | Nilesh Gharde <ngharde@codeaurora.org> | 2019-03-22 17:26:09 +0530 |
---|---|---|
committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2019-03-27 07:02:19 -0700 |
commit | b47ee496e588eab7d03cb2f3fb952d5fab1043ee (patch) | |
tree | dc64c69157179dcd6b8d5714c799673b7e9df8c2 /gnss/Agps.cpp | |
parent | 01869b4004179870db2160ed41283dce7fbbdcde (diff) | |
download | gps-b47ee496e588eab7d03cb2f3fb952d5fab1043ee.tar.gz |
Integer overflow leading to a buffer overflow
Added a length check in to avoid integer overflow
in dataConnOpenCommand and set APN methods.
As the APN name is like few 100bytes so
using the micro defined int gps_extended_c.h
Change-Id: Idb5ebbf2e3647de5fa07673f248c0c256d6c1b52
CRs-fixed: 2419292
Diffstat (limited to 'gnss/Agps.cpp')
-rw-r--r-- | gnss/Agps.cpp | 7 |
1 files changed, 3 insertions, 4 deletions
diff --git a/gnss/Agps.cpp b/gnss/Agps.cpp index a4f6a30..9de1329 100644 --- a/gnss/Agps.cpp +++ b/gnss/Agps.cpp @@ -445,15 +445,14 @@ void AgpsStateMachine::setAPN(char* apn, unsigned int len){ if (NULL != mAPN) { delete mAPN; + mAPN = NULL; } - if (apn == NULL || len <= 0) { + if (NULL == apn || len <= 0 || len > MAX_APN_LEN || strlen(apn) != len) { LOC_LOGD("Invalid apn len (%d) or null apn", len); mAPN = NULL; mAPNLen = 0; - } - - if (NULL != apn) { + } else { mAPN = new char[len+1]; if (NULL != mAPN) { memcpy(mAPN, apn, len); |