Fix OOB vulnerability in setGsm/CdmaSmsBroadcastConfigInfo
Error if length > 25
Test: lunch cf_x86_phone-userdebug && mm
Bug: 144046782
Change-Id: I18f9745174762a52fc20bfc7273c6b3fd2118da5
diff --git a/include/telephony/ril.h b/include/telephony/ril.h
index e189777..7530146 100644
--- a/include/telephony/ril.h
+++ b/include/telephony/ril.h
@@ -107,6 +107,7 @@
#define MAX_BANDS 8
#define MAX_CHANNELS 32
#define MAX_RADIO_ACCESS_NETWORKS 8
+#define MAX_BROADCAST_SMS_CONFIG_INFO 25
typedef void * RIL_Token;
diff --git a/libril/ril_service.cpp b/libril/ril_service.cpp
index c655672..c97b607 100755
--- a/libril/ril_service.cpp
+++ b/libril/ril_service.cpp
@@ -1799,6 +1799,12 @@
}
int num = configInfo.size();
+ if (num > MAX_BROADCAST_SMS_CONFIG_INFO) {
+ RLOGE("setGsmBroadcastConfig: Invalid configInfo length %s",
+ requestToString(pRI->pCI->requestNumber));
+ sendErrorResponse(pRI, RIL_E_INVALID_ARGUMENTS);
+ return Void();
+ }
RIL_GSM_BroadcastSmsConfigInfo gsmBci[num];
RIL_GSM_BroadcastSmsConfigInfo *gsmBciPtrs[num];
@@ -1846,6 +1852,12 @@
}
int num = configInfo.size();
+ if (num > MAX_BROADCAST_SMS_CONFIG_INFO) {
+ RLOGE("setCdmaBroadcastConfig: Invalid configInfo length %s",
+ requestToString(pRI->pCI->requestNumber));
+ sendErrorResponse(pRI, RIL_E_INVALID_ARGUMENTS);
+ return Void();
+ }
RIL_CDMA_BroadcastSmsConfigInfo cdmaBci[num];
RIL_CDMA_BroadcastSmsConfigInfo *cdmaBciPtrs[num];