Merge cherrypicks of [4583929, 4582754, 4582755, 4582756, 4583930, 4583931, 4583932, 4586307, 4586953, 4582585, 4586964, 4586965, 4586984, 4586985, 4586986, 4586987, 4586966, 4582586, 4582885, 4586531, 4586532, 4586533, 4586535, 4586536, 4586537, 4586538, 4586539, 4586540, 4586541, 4586542, 4586890, 4586891, 4586892, 4586893, 4586894, 4586895, 4586896, 4586897, 4586898, 4586899, 4586900, 4586901, 4586902, 4586903, 4587104, 4587105, 4587106, 4586988, 4583933, 4583934, 4583935, 4586989, 4586990, 4587136, 4587138, 4586991, 4586308, 4586967, 4587069, 4587070, 4582886, 4582887, 4587164, 4582888, 4587027, 4587028, 4587029, 4587030, 4582587, 4582588, 4582589, 4582590, 4582591, 4582592, 4582593, 4582594, 4582595, 4582596, 4582597, 4582598, 4582599, 4582600, 4582601, 4582602, 4582603, 4587244, 4587245, 4587246, 4587247, 4587248, 4587249, 4587250, 4587251, 4587252, 4582760, 4583936, 4582761, 4586992, 4587229, 4587230, 4587231, 4587253, 4586968] into sparse-4732991-L37700000192334752
Change-Id: I3215056db144f7c9040c7a705b3a3e4ce52320d5
diff --git a/src/java/com/android/internal/telephony/InboundSmsHandler.java b/src/java/com/android/internal/telephony/InboundSmsHandler.java
index 2d663cd..99fd965 100644
--- a/src/java/com/android/internal/telephony/InboundSmsHandler.java
+++ b/src/java/com/android/internal/telephony/InboundSmsHandler.java
@@ -74,6 +74,7 @@
import java.util.HashMap;
import java.util.List;
import java.util.Map;
+import android.util.EventLog;
/**
* This class broadcasts incoming SMS messages to interested apps after storing them in
@@ -803,6 +804,19 @@
int destPort = tracker.getDestPort();
boolean block = false;
+ // Do not process when the message count is invalid.
+ if (messageCount <= 0) {
+ EventLog.writeEvent(
+ 0x534e4554 /* snetTagId */,
+ "72298611" /* buganizer id */,
+ -1 /* uid */,
+ String.format(
+ "processMessagePart: invalid messageCount = %d",
+ messageCount));
+
+ return false;
+ }
+
if (messageCount == 1) {
// single-part message
pdus = new byte[][]{tracker.getPdu()};
@@ -838,6 +852,21 @@
int index = cursor.getInt(PDU_SEQUENCE_PORT_PROJECTION_INDEX_MAPPING
.get(SEQUENCE_COLUMN)) - tracker.getIndexOffset();
+ // The invalid PDUs can be received and stored in the raw table. The range
+ // check ensures the process not crash even if the seqNumber in the
+ // UserDataHeader is invalid.
+ if (index >= pdus.length || index < 0) {
+ EventLog.writeEvent(
+ 0x534e4554 /* snetTagId */,
+ "72298611" /* buganizer id */,
+ -1 /* uid */,
+ String.format(
+ "processMessagePart: invalid seqNumber = %d, messageCount = %d",
+ index + tracker.getIndexOffset(),
+ messageCount));
+ continue;
+ }
+
pdus[index] = HexDump.hexStringToByteArray(cursor.getString(
PDU_SEQUENCE_PORT_PROJECTION_INDEX_MAPPING.get(PDU_COLUMN)));
diff --git a/tests/telephonytests/src/com/android/internal/telephony/mocks/ConnectivityServiceMock.java b/tests/telephonytests/src/com/android/internal/telephony/mocks/ConnectivityServiceMock.java
index 9210a08..87818af 100644
--- a/tests/telephonytests/src/com/android/internal/telephony/mocks/ConnectivityServiceMock.java
+++ b/tests/telephonytests/src/com/android/internal/telephony/mocks/ConnectivityServiceMock.java
@@ -499,6 +499,11 @@
throw new RuntimeException("not implemented");
}
+ @Override
+ public boolean isActiveNetworkMeteredForUid(int uid) {
+ throw new RuntimeException("not implemented");
+ }
+
public boolean requestRouteToHostAddress(int networkType, byte[] hostAddress) {
throw new RuntimeException("not implemented");
}