added SmsMessage ConcatRef parsing validation
addresses bugs:
http://b/issue?id=1870607
http://b/issue?id=1688238
and prior perforce commit:
http://s9/?change_num=136189
diff --git a/telephony/java/com/android/internal/telephony/SmsHeader.java b/telephony/java/com/android/internal/telephony/SmsHeader.java
index d220648..7872eec 100644
--- a/telephony/java/com/android/internal/telephony/SmsHeader.java
+++ b/telephony/java/com/android/internal/telephony/SmsHeader.java
@@ -111,7 +111,10 @@
/**
* NOTE: as defined in the spec, ConcatRef and PortAddr
* fields should not reoccur, but if they do the last
- * occurrence is to be used.
+ * occurrence is to be used. Also, for ConcatRef
+ * elements, if the count is zero, sequence is zero, or
+ * sequence is larger than count, the entire element is to
+ * be ignored.
*/
int id = inStream.read();
int length = inStream.read();
@@ -124,7 +127,10 @@
concatRef.msgCount = inStream.read();
concatRef.seqNumber = inStream.read();
concatRef.isEightBits = true;
- smsHeader.concatRef = concatRef;
+ if (concatRef.msgCount != 0 && concatRef.seqNumber != 0 &&
+ concatRef.seqNumber <= concatRef.msgCount) {
+ smsHeader.concatRef = concatRef;
+ }
break;
case ELT_ID_CONCATENATED_16_BIT_REFERENCE:
concatRef = new ConcatRef();
@@ -132,7 +138,10 @@
concatRef.msgCount = inStream.read();
concatRef.seqNumber = inStream.read();
concatRef.isEightBits = false;
- smsHeader.concatRef = concatRef;
+ if (concatRef.msgCount != 0 && concatRef.seqNumber != 0 &&
+ concatRef.seqNumber <= concatRef.msgCount) {
+ smsHeader.concatRef = concatRef;
+ }
break;
case ELT_ID_APPLICATION_PORT_ADDRESSING_8_BIT:
portAddrs = new PortAddrs();
diff --git a/tests/AndroidTests/src/com/android/unit_tests/CdmaSmsTest.java b/tests/AndroidTests/src/com/android/unit_tests/CdmaSmsTest.java
index f8d5d4d..75fd157 100644
--- a/tests/AndroidTests/src/com/android/unit_tests/CdmaSmsTest.java
+++ b/tests/AndroidTests/src/com/android/unit_tests/CdmaSmsTest.java
@@ -169,6 +169,43 @@
}
@SmallTest
+ public void testUserDataHeaderIllegalConcatRef() throws Exception {
+ BearerData bearerData = new BearerData();
+ bearerData.messageType = BearerData.MESSAGE_TYPE_DELIVER;
+ bearerData.messageId = 55;
+ SmsHeader.ConcatRef concatRef = new SmsHeader.ConcatRef();
+ concatRef.refNumber = 0x10;
+ concatRef.msgCount = 0;
+ concatRef.seqNumber = 2;
+ concatRef.isEightBits = true;
+ SmsHeader smsHeader = new SmsHeader();
+ smsHeader.concatRef = concatRef;
+ byte[] encodedHeader = SmsHeader.toByteArray(smsHeader);
+ SmsHeader decodedHeader = SmsHeader.fromByteArray(encodedHeader);
+ assertEquals(decodedHeader.concatRef, null);
+ concatRef.isEightBits = false;
+ encodedHeader = SmsHeader.toByteArray(smsHeader);
+ decodedHeader = SmsHeader.fromByteArray(encodedHeader);
+ assertEquals(decodedHeader.concatRef, null);
+ concatRef.msgCount = 1;
+ concatRef.seqNumber = 2;
+ encodedHeader = SmsHeader.toByteArray(smsHeader);
+ decodedHeader = SmsHeader.fromByteArray(encodedHeader);
+ assertEquals(decodedHeader.concatRef, null);
+ concatRef.msgCount = 1;
+ concatRef.seqNumber = 0;
+ encodedHeader = SmsHeader.toByteArray(smsHeader);
+ decodedHeader = SmsHeader.fromByteArray(encodedHeader);
+ assertEquals(decodedHeader.concatRef, null);
+ concatRef.msgCount = 2;
+ concatRef.seqNumber = 1;
+ encodedHeader = SmsHeader.toByteArray(smsHeader);
+ decodedHeader = SmsHeader.fromByteArray(encodedHeader);
+ assertEquals(decodedHeader.concatRef.msgCount, 2);
+ assertEquals(decodedHeader.concatRef.seqNumber, 1);
+ }
+
+ @SmallTest
public void testUserDataHeaderMixedFeedback() throws Exception {
BearerData bearerData = new BearerData();
bearerData.messageType = BearerData.MESSAGE_TYPE_DELIVER;