DO NOT MERGE: Fix vulnerability where large GPS XTRA data can be
injected.
-Can potentially crash system with OOM.
Bug: 29555864
Change-Id: I7157f48dddf148a9bcab029cf12e26a58d8054f4
(cherry picked from commit 79375723f0f201a6759ddbfda57d491ff3fea64e)
diff --git a/services/core/java/com/android/server/location/GpsXtraDownloader.java b/services/core/java/com/android/server/location/GpsXtraDownloader.java
index c464371..874857a 100644
--- a/services/core/java/com/android/server/location/GpsXtraDownloader.java
+++ b/services/core/java/com/android/server/location/GpsXtraDownloader.java
@@ -22,6 +22,12 @@
import java.io.IOException;
import java.net.HttpURLConnection;
import java.net.URL;
+
+import libcore.io.IoUtils;
+
+import java.io.ByteArrayOutputStream;
+import java.io.InputStream;
+import java.io.IOException;
import java.util.Properties;
import java.util.Random;
import java.util.concurrent.TimeUnit;
@@ -37,6 +43,7 @@
private static final String TAG = "GpsXtraDownloader";
private static final boolean DEBUG = Log.isLoggable(TAG, Log.DEBUG);
+ private static final long MAXIMUM_CONTENT_LENGTH_BYTES = 1000000; // 1MB.
private static final String DEFAULT_USER_AGENT = "Android";
private static final int CONNECTION_TIMEOUT_MS = (int) TimeUnit.SECONDS.toMillis(30);
@@ -124,7 +131,19 @@
return null;
}
- return Streams.readFully(connection.getInputStream());
+ try (InputStream in = connection.getInputStream()) {
+ ByteArrayOutputStream bytes = new ByteArrayOutputStream();
+ byte[] buffer = new byte[1024];
+ int count;
+ while ((count = in.read(buffer)) != -1) {
+ bytes.write(buffer, 0, count);
+ if (bytes.size() > MAXIMUM_CONTENT_LENGTH_BYTES) {
+ if (DEBUG) Log.d(TAG, "XTRA file too large");
+ return null;
+ }
+ }
+ return bytes.toByteArray();
+ }
} catch (IOException ioe) {
if (DEBUG) Log.d(TAG, "Error downloading gps XTRA: ", ioe);
} finally {
@@ -136,3 +155,4 @@
}
}
+
