diff options
author | qctecmdr <qctecmdr@localhost> | 2019-04-01 22:11:09 -0700 |
---|---|---|
committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2019-04-01 22:11:09 -0700 |
commit | 3e614934d19cc55c86d5b58cea39e49c7122ac3d (patch) | |
tree | ea7e072fdb0a5f331c05b2f44cfa9c1a92da546a /gnss | |
parent | 449fdb73e223ae9e2d4d6c407ba5510cfe929b99 (diff) | |
parent | b47ee496e588eab7d03cb2f3fb952d5fab1043ee (diff) | |
download | gps-3e614934d19cc55c86d5b58cea39e49c7122ac3d.tar.gz |
Merge "Integer overflow leading to a buffer overflow"
Diffstat (limited to 'gnss')
-rw-r--r-- | gnss/Agps.cpp | 7 | ||||
-rw-r--r-- | gnss/GnssAdapter.cpp | 14 |
2 files changed, 14 insertions, 7 deletions
diff --git a/gnss/Agps.cpp b/gnss/Agps.cpp index a4f6a30..9de1329 100644 --- a/gnss/Agps.cpp +++ b/gnss/Agps.cpp @@ -445,15 +445,14 @@ void AgpsStateMachine::setAPN(char* apn, unsigned int len){ if (NULL != mAPN) { delete mAPN; + mAPN = NULL; } - if (apn == NULL || len <= 0) { + if (NULL == apn || len <= 0 || len > MAX_APN_LEN || strlen(apn) != len) { LOC_LOGD("Invalid apn len (%d) or null apn", len); mAPN = NULL; mAPNLen = 0; - } - - if (NULL != apn) { + } else { mAPN = new char[len+1]; if (NULL != mAPN) { memcpy(mAPN, apn, len); diff --git a/gnss/GnssAdapter.cpp b/gnss/GnssAdapter.cpp index 10f0255..febea69 100644 --- a/gnss/GnssAdapter.cpp +++ b/gnss/GnssAdapter.cpp @@ -4054,6 +4054,8 @@ void GnssAdapter::dataConnOpenCommand( LOC_LOGV("AgpsMsgAtlOpenSuccess"); if (mApnName == nullptr) { LOC_LOGE("%s] new allocation failed, fatal error.", __func__); + // Reporting the failure here + mAgpsManager->reportAtlClosed(mAgpsType); return; } memcpy(mApnName, apnName, apnLen); @@ -4070,9 +4072,15 @@ void GnssAdapter::dataConnOpenCommand( mAgpsManager->reportAtlOpenSuccess(mAgpsType, mApnName, mApnLen, mBearerType); } }; - - sendMsg( new AgpsMsgAtlOpenSuccess( - &mAgpsManager, agpsType, apnName, apnLen, bearerType)); + // Added inital length checks for apnlen check to avoid security issues + // In case of failure reporting the same + if (NULL == apnName || apnLen <= 0 || apnLen > MAX_APN_LEN || (strlen(apnName) != apnLen)) { + LOC_LOGe("%s]: incorrect apnlen length or incorrect apnName", __func__); + mAgpsManager.reportAtlClosed(agpsType); + } else { + sendMsg( new AgpsMsgAtlOpenSuccess( + &mAgpsManager, agpsType, apnName, apnLen, bearerType)); + } } void GnssAdapter::dataConnClosedCommand(AGpsExtType agpsType){ |