Fix OOB vulnerability in setGsm/CdmaSmsBroadcastConfigInfo
Error if length >25
Test: lunch cf_x86_phone-userdeug && mm
Bug: 144046782
Change-Id: I9b3b2cfb8269472c02c673949082b1dad7418760
Merged-In: I9b3b2cfb8269472c02c673949082b1dad7418760
diff --git a/guest/hals/ril/libril/ril.h b/guest/hals/ril/libril/ril.h
index 72700d5..b17c7f9 100644
--- a/guest/hals/ril/libril/ril.h
+++ b/guest/hals/ril/libril/ril.h
@@ -116,6 +116,7 @@
#define MAX_BANDS 8
#define MAX_CHANNELS 32
#define MAX_RADIO_ACCESS_NETWORKS 8
+#define MAX_BROADCAST_SMS_CONFIG_INFO 25
typedef void * RIL_Token;
diff --git a/guest/hals/ril/libril/ril_service.cpp b/guest/hals/ril/libril/ril_service.cpp
index 7092037..7538d7a 100644
--- a/guest/hals/ril/libril/ril_service.cpp
+++ b/guest/hals/ril/libril/ril_service.cpp
@@ -1932,6 +1932,12 @@
}
int num = configInfo.size();
+ if (num > MAX_BROADCAST_SMS_CONFIG_INFO) {
+ RLOGE("setGsmBroadcastConfig: Invalid configInfo length %s",
+ requestToString(pRI->pCI->requestNumber));
+ sendErrorResponse(pRI, RIL_E_INVALID_ARGUMENTS);
+ return Void();
+ }
RIL_GSM_BroadcastSmsConfigInfo gsmBci[num];
RIL_GSM_BroadcastSmsConfigInfo *gsmBciPtrs[num];
@@ -1979,6 +1985,12 @@
}
int num = configInfo.size();
+ if (num > MAX_BROADCAST_SMS_CONFIG_INFO) {
+ RLOGE("setCdmaBroadcastConfig: Invalid configInfo length %s",
+ requestToString(pRI->pCI->requestNumber));
+ sendErrorResponse(pRI, RIL_E_INVALID_ARGUMENTS);
+ return Void();
+ }
RIL_CDMA_BroadcastSmsConfigInfo cdmaBci[num];
RIL_CDMA_BroadcastSmsConfigInfo *cdmaBciPtrs[num];