diff --git a/ril/include/telephony/ril.h b/ril/include/telephony/ril.h
index a892359..df9d98b 100644
--- a/ril/include/telephony/ril.h
+++ b/ril/include/telephony/ril.h
@@ -108,6 +108,7 @@ extern "C" {
 #define MAX_BANDS 8
 #define MAX_CHANNELS 32
 #define MAX_RADIO_ACCESS_NETWORKS 8
+#define MAX_BROADCAST_SMS_CONFIG_INFO 25
 
 
 typedef void * RIL_Token;
diff --git a/ril/libril/ril_service.cpp b/ril/libril/ril_service.cpp
index a8526b2..18062f9 100755
--- a/ril/libril/ril_service.cpp
+++ b/ril/libril/ril_service.cpp
@@ -1812,6 +1812,12 @@ Return<void> RadioImpl::setGsmBroadcastConfig(int32_t serial,
     }
 
     int num = configInfo.size();
+    if (num > MAX_BROADCAST_SMS_CONFIG_INFO) {
+        RLOGE("setGsmBroadcastConfig: Invalid configInfo length %s",
+                requestToString(pRI->pCI->requestNumber));
+        sendErrorResponse(pRI, RIL_E_INVALID_ARGUMENTS);
+        return Void();
+    }
     RIL_GSM_BroadcastSmsConfigInfo gsmBci[num];
     RIL_GSM_BroadcastSmsConfigInfo *gsmBciPtrs[num];
 
@@ -1859,6 +1865,12 @@ Return<void> RadioImpl::setCdmaBroadcastConfig(int32_t serial,
     }
 
     int num = configInfo.size();
+    if (num > MAX_BROADCAST_SMS_CONFIG_INFO) {
+        RLOGE("setCdmaBroadcastConfig: Invalid configInfo length %s",
+                requestToString(pRI->pCI->requestNumber));
+        sendErrorResponse(pRI, RIL_E_INVALID_ARGUMENTS);
+        return Void();
+    }
     RIL_CDMA_BroadcastSmsConfigInfo cdmaBci[num];
     RIL_CDMA_BroadcastSmsConfigInfo *cdmaBciPtrs[num];