commit 77dc5c543fe2122a65ccf005d3684124c897c6e5
author Sarah Chin <sarahchin@google.com> Mon Feb 03 12:38:02 2020 -0800
committer Sarah Chin <sarahchin@google.com> Tue Feb 04 10:28:52 2020 -0800
tree 82cf1774d1f41400de37f8b7294c363588e996f3
parent 1874878e715bd8765b732d26303f457f263e465c

Fix OOB vulnerability in setGsm/CdmaSmsBroadcastConfigInfo

Error if length > 25

Test: lunch cf_x86_phone-userdebug && mm
Bug: 144046782
Change-Id: I18f9745174762a52fc20bfc7273c6b3fd2118da5

include/telephony/ril.h

diff --git a/include/telephony/ril.h b/include/telephony/ril.h
index e189777..7530146 100644
--- a/include/telephony/ril.h
+++ b/include/telephony/ril.h
@@ -107,6 +107,7 @@
 #define MAX_BANDS 8
 #define MAX_CHANNELS 32
 #define MAX_RADIO_ACCESS_NETWORKS 8
+#define MAX_BROADCAST_SMS_CONFIG_INFO 25
 
 
 typedef void * RIL_Token;

libril/ril_service.cpp

diff --git a/libril/ril_service.cpp b/libril/ril_service.cpp
index c655672..c97b607 100755
--- a/libril/ril_service.cpp
+++ b/libril/ril_service.cpp
@@ -1799,6 +1799,12 @@
     }
 
     int num = configInfo.size();
+    if (num > MAX_BROADCAST_SMS_CONFIG_INFO) {
+        RLOGE("setGsmBroadcastConfig: Invalid configInfo length %s",
+                requestToString(pRI->pCI->requestNumber));
+        sendErrorResponse(pRI, RIL_E_INVALID_ARGUMENTS);
+        return Void();
+    }
     RIL_GSM_BroadcastSmsConfigInfo gsmBci[num];
     RIL_GSM_BroadcastSmsConfigInfo *gsmBciPtrs[num];
 
@@ -1846,6 +1852,12 @@
     }
 
     int num = configInfo.size();
+    if (num > MAX_BROADCAST_SMS_CONFIG_INFO) {
+        RLOGE("setCdmaBroadcastConfig: Invalid configInfo length %s",
+                requestToString(pRI->pCI->requestNumber));
+        sendErrorResponse(pRI, RIL_E_INVALID_ARGUMENTS);
+        return Void();
+    }
     RIL_CDMA_BroadcastSmsConfigInfo cdmaBci[num];
     RIL_CDMA_BroadcastSmsConfigInfo *cdmaBciPtrs[num];