Merge "Integer overflow leading to a buffer overflow"

author: qctecmdr <qctecmdr@localhost> 2019-04-01 22:11:09 -0700
committer: Gerrit - the friendly Code Review server <code-review@localhost> 2019-04-01 22:11:09 -0700
commit: 3e614934d19cc55c86d5b58cea39e49c7122ac3d (patch)
tree: ea7e072fdb0a5f331c05b2f44cfa9c1a92da546a /gnss
parent: 449fdb73e223ae9e2d4d6c407ba5510cfe929b99 (diff)
parent: b47ee496e588eab7d03cb2f3fb952d5fab1043ee (diff)
download: gps-3e614934d19cc55c86d5b58cea39e49c7122ac3d.tar.gz
2 files changed, 14 insertions, 7 deletions
diff --git a/gnss/Agps.cpp b/gnss/Agps.cpp
index a4f6a30..9de1329 100644
--- a/gnss/Agps.cpp
+++ b/gnss/Agps.cpp
@@ -445,15 +445,14 @@ void AgpsStateMachine::setAPN(char* apn, unsigned int len){
 
     if (NULL != mAPN) {
         delete mAPN;
+        mAPN  = NULL;
     }
 
-    if (apn == NULL || len <= 0) {
+    if (NULL == apn || len <= 0 || len > MAX_APN_LEN || strlen(apn) != len) {
         LOC_LOGD("Invalid apn len (%d) or null apn", len);
         mAPN = NULL;
         mAPNLen = 0;
-    }
-
-    if (NULL != apn) {
+    } else {
         mAPN = new char[len+1];
         if (NULL != mAPN) {
             memcpy(mAPN, apn, len);
diff --git a/gnss/GnssAdapter.cpp b/gnss/GnssAdapter.cpp
index 10f0255..febea69 100644
--- a/gnss/GnssAdapter.cpp
+++ b/gnss/GnssAdapter.cpp
@@ -4054,6 +4054,8 @@ void GnssAdapter::dataConnOpenCommand(
             LOC_LOGV("AgpsMsgAtlOpenSuccess");
             if (mApnName == nullptr) {
                 LOC_LOGE("%s] new allocation failed, fatal error.", __func__);
+                // Reporting the failure here
+                mAgpsManager->reportAtlClosed(mAgpsType);
                 return;
             }
             memcpy(mApnName, apnName, apnLen);
@@ -4070,9 +4072,15 @@ void GnssAdapter::dataConnOpenCommand(
             mAgpsManager->reportAtlOpenSuccess(mAgpsType, mApnName, mApnLen, mBearerType);
         }
     };
-
-    sendMsg( new AgpsMsgAtlOpenSuccess(
-            &mAgpsManager, agpsType, apnName, apnLen, bearerType));
+    // Added inital length checks for apnlen check to avoid security issues
+    // In case of failure reporting the same
+    if (NULL == apnName || apnLen <= 0 || apnLen > MAX_APN_LEN || (strlen(apnName) != apnLen)) {
+        LOC_LOGe("%s]: incorrect apnlen length or incorrect apnName", __func__);
+        mAgpsManager.reportAtlClosed(agpsType);
+    } else {
+        sendMsg( new AgpsMsgAtlOpenSuccess(
+                    &mAgpsManager, agpsType, apnName, apnLen, bearerType));
+    }
 }
 
 void GnssAdapter::dataConnClosedCommand(AGpsExtType agpsType){
author	qctecmdr <qctecmdr@localhost>	2019-04-01 22:11:09 -0700
committer	Gerrit - the friendly Code Review server <code-review@localhost>	2019-04-01 22:11:09 -0700
commit	3e614934d19cc55c86d5b58cea39e49c7122ac3d (patch)
tree	ea7e072fdb0a5f331c05b2f44cfa9c1a92da546a /gnss
parent	449fdb73e223ae9e2d4d6c407ba5510cfe929b99 (diff)
parent	b47ee496e588eab7d03cb2f3fb952d5fab1043ee (diff)
download	gps-3e614934d19cc55c86d5b58cea39e49c7122ac3d.tar.gz