DO NOT MERGE: Fix vulnerability where large GPS XTRA data can be
injected.
-Can potentially crash system with OOM.
Bug: 29555864
Change-Id: I7157f48dddf148a9bcab029cf12e26a58d8054f4
(cherry picked from commit 5439aabb165b5a760d1e580016bf1d6fd963cb65)
diff --git a/services/core/java/com/android/server/location/GpsXtraDownloader.java b/services/core/java/com/android/server/location/GpsXtraDownloader.java
index 3585049..6310361 100644
--- a/services/core/java/com/android/server/location/GpsXtraDownloader.java
+++ b/services/core/java/com/android/server/location/GpsXtraDownloader.java
@@ -21,8 +21,11 @@
import java.net.HttpURLConnection;
import java.net.URL;
-import libcore.io.Streams;
+import libcore.io.IoUtils;
+
+import java.io.ByteArrayOutputStream;
+import java.io.InputStream;
import java.io.IOException;
import java.util.Properties;
import java.util.Random;
@@ -36,6 +39,7 @@
private static final String TAG = "GpsXtraDownloader";
private static final boolean DEBUG = Log.isLoggable(TAG, Log.DEBUG);
+ private static final long MAXIMUM_CONTENT_LENGTH_BYTES = 1000000; // 1MB.
private static final String DEFAULT_USER_AGENT = "Android";
private final String[] mXtraServers;
@@ -121,7 +125,19 @@
return null;
}
- return Streams.readFully(connection.getInputStream());
+ try (InputStream in = connection.getInputStream()) {
+ ByteArrayOutputStream bytes = new ByteArrayOutputStream();
+ byte[] buffer = new byte[1024];
+ int count;
+ while ((count = in.read(buffer)) != -1) {
+ bytes.write(buffer, 0, count);
+ if (bytes.size() > MAXIMUM_CONTENT_LENGTH_BYTES) {
+ if (DEBUG) Log.d(TAG, "XTRA file too large");
+ return null;
+ }
+ }
+ return bytes.toByteArray();
+ }
} catch (IOException ioe) {
if (DEBUG) Log.d(TAG, "Error downloading gps XTRA: ", ioe);
} finally {
@@ -133,3 +149,4 @@
}
}
+
