msm8974-common: libril: Fix OOB vulnerability in setGsm/CdmaSmsBroadcastConfigInfo

Error if length > 25 Test: lunch cf_x86_phone-userdebug && mm Bug: 144046782 Change-Id: I18f9745174762a52fc20bfc7273c6b3fd2118da5
2020-02-03 12:38:02 -08:00 · 2020-02-03 12:38:02 -08:00 · bb7c1788d1
commit bb7c1788d1
parent 725f9e8f33
2 changed files with 13 additions and 0 deletions
--- a/ril/include/telephony/ril.h
+++ b/ril/include/telephony/ril.h
@ -108,6 +108,7 @@ extern "C" {
 #define MAX_BANDS 8
 #define MAX_CHANNELS 32
 #define MAX_RADIO_ACCESS_NETWORKS 8
+#define MAX_BROADCAST_SMS_CONFIG_INFO 25


 typedef void * RIL_Token;
--- a/ril/libril/ril_service.cpp
+++ b/ril/libril/ril_service.cpp
@ -1812,6 +1812,12 @@ Return<void> RadioImpl::setGsmBroadcastConfig(int32_t serial,
    }

    int num = configInfo.size();
+    if (num > MAX_BROADCAST_SMS_CONFIG_INFO) {
+        RLOGE("setGsmBroadcastConfig: Invalid configInfo length %s",
+                requestToString(pRI->pCI->requestNumber));
+        sendErrorResponse(pRI, RIL_E_INVALID_ARGUMENTS);
+        return Void();
+    }
    RIL_GSM_BroadcastSmsConfigInfo gsmBci[num];
    RIL_GSM_BroadcastSmsConfigInfo *gsmBciPtrs[num];

@ -1859,6 +1865,12 @@ Return<void> RadioImpl::setCdmaBroadcastConfig(int32_t serial,
    }

    int num = configInfo.size();
+    if (num > MAX_BROADCAST_SMS_CONFIG_INFO) {
+        RLOGE("setCdmaBroadcastConfig: Invalid configInfo length %s",
+                requestToString(pRI->pCI->requestNumber));
+        sendErrorResponse(pRI, RIL_E_INVALID_ARGUMENTS);
+        return Void();
+    }
    RIL_CDMA_BroadcastSmsConfigInfo cdmaBci[num];
    RIL_CDMA_BroadcastSmsConfigInfo *cdmaBciPtrs[num];