Merge cherrypicks of [5027797, 5027798, 5029209, 5030032, 5023135, 5028893, 5028915, 5028916, 5028917, 5028948, 5028949, 5028950, 5030131, 5030132, 5030133, 5030134, 5030135, 5028894, 5028918, 5030033, 5023136, 5030136, 5029210, 5030171, 5030172, 5030173, 5030174, 5030175, 5030176, 5030177, 5030178, 5030179, 5030180, 5029076, 5029077, 5029078, 5029079, 5029080, 5029081, 5029082, 5029083, 5029084, 5029085, 5029086, 5029087, 5029088, 5029089, 5029090, 5030211, 5030212, 5030213, 5030214, 5030215, 5030216, 5030217, 5020440, 5020441, 5020442, 5030137, 5030034, 5020443, 5030138, 5029124, 5027799, 5029125, 5029126, 5029127, 5023137, 5030139, 5030140, 5029132, 5030141, 5030142, 5030143, 5030181, 5030182, 5030183, 5030184, 5030185, 5030186, 5030187, 5030188, 5030189, 5030190, 5030231, 5030232, 5030233, 5030234, 5030235, 5030236, 5030237, 5030238, 5030239, 5030240, 5030241, 5030242, 5030243, 5030244, 5030245, 5030246, 5030247, 5030248, 5030249, 5030250, 5030271, 5030272, 5030273, 5030274, 5030275, 5030276, 5030277, 5030278, 5030279, 5030280, 5030281, 5020444, 5027800, 5030144] into nyc-bugfix-release
Change-Id: Ie7cf69fe0e537e2795d53cd16d8d3a9897564550
diff --git a/src/java/com/android/internal/telephony/InboundSmsHandler.java b/src/java/com/android/internal/telephony/InboundSmsHandler.java
index 34b0b98..5183f1a 100644
--- a/src/java/com/android/internal/telephony/InboundSmsHandler.java
+++ b/src/java/com/android/internal/telephony/InboundSmsHandler.java
@@ -67,6 +67,7 @@
import android.telephony.SubscriptionManager;
import android.telephony.TelephonyManager;
import android.text.TextUtils;
+import android.util.EventLog;
import com.android.internal.R;
import com.android.internal.annotations.VisibleForTesting;
@@ -726,6 +727,18 @@
byte[][] pdus;
int destPort = tracker.getDestPort();
+ // Do not process when the message count is invalid.
+ if (messageCount <= 0) {
+ EventLog.writeEvent(
+ 0x534e4554 /* snetTagId */,
+ "72298611" /* buganizer id */,
+ -1 /* uid */,
+ String.format(
+ "processMessagePart: invalid messageCount = %d",
+ messageCount));
+ return false;
+ }
+
if (messageCount == 1) {
// single-part message
pdus = new byte[][]{tracker.getPdu()};
@@ -759,6 +772,22 @@
// subtract offset to convert sequence to 0-based array index
int index = cursor.getInt(SEQUENCE_COLUMN) - tracker.getIndexOffset();
+ // The invalid PDUs can be received and stored in the raw table. The range
+ // check ensures the process not crash even if the seqNumber in the
+ // UserDataHeader is invalid.
+ if (index >= pdus.length || index < 0) {
+ EventLog.writeEvent(
+ 0x534e4554 /* snetTagId */,
+ "72298611" /* buganizer id */,
+ -1 /* uid */,
+ String.format(
+ "processMessagePart: invalid seqNumber = %d, "
+ + "messageCount = %d",
+ index + tracker.getIndexOffset(),
+ messageCount));
+ continue;
+ }
+
pdus[index] = HexDump.hexStringToByteArray(cursor.getString(PDU_COLUMN));
// Read the destination port from the first segment (needed for CDMA WAP PDU).