[automerger] Fixed Invalid Pdu Issue am: 4b938358de am: fc2a2d071a am: ca00d5d151 am: 23de93c197 am: 909c1606d3 am: bfb0076f03
Change-Id: I5e5c940c7abb06294f507b3b48fad6672a6e7c38
diff --git a/src/java/com/android/internal/telephony/InboundSmsHandler.java b/src/java/com/android/internal/telephony/InboundSmsHandler.java
index a70aa26..d52e71b 100644
--- a/src/java/com/android/internal/telephony/InboundSmsHandler.java
+++ b/src/java/com/android/internal/telephony/InboundSmsHandler.java
@@ -67,6 +67,7 @@
import android.telephony.SubscriptionManager;
import android.telephony.TelephonyManager;
import android.text.TextUtils;
+import android.util.EventLog;
import com.android.internal.R;
import com.android.internal.annotations.VisibleForTesting;
@@ -729,6 +730,18 @@
byte[][] pdus;
int destPort = tracker.getDestPort();
+ // Do not process when the message count is invalid.
+ if (messageCount <= 0) {
+ EventLog.writeEvent(
+ 0x534e4554 /* snetTagId */,
+ "72298611" /* buganizer id */,
+ -1 /* uid */,
+ String.format(
+ "processMessagePart: invalid messageCount = %d",
+ messageCount));
+ return false;
+ }
+
if (messageCount == 1) {
// single-part message
pdus = new byte[][]{tracker.getPdu()};
@@ -762,6 +775,22 @@
// subtract offset to convert sequence to 0-based array index
int index = cursor.getInt(SEQUENCE_COLUMN) - tracker.getIndexOffset();
+ // The invalid PDUs can be received and stored in the raw table. The range
+ // check ensures the process not crash even if the seqNumber in the
+ // UserDataHeader is invalid.
+ if (index >= pdus.length || index < 0) {
+ EventLog.writeEvent(
+ 0x534e4554 /* snetTagId */,
+ "72298611" /* buganizer id */,
+ -1 /* uid */,
+ String.format(
+ "processMessagePart: invalid seqNumber = %d, "
+ + "messageCount = %d",
+ index + tracker.getIndexOffset(),
+ messageCount));
+ continue;
+ }
+
pdus[index] = HexDump.hexStringToByteArray(cursor.getString(PDU_COLUMN));
// Read the destination port from the first segment (needed for CDMA WAP PDU).
