From bb7c1788d194ad917c9fdb38ad5cf3fab5c2a76b Mon Sep 17 00:00:00 2001 From: Sarah Chin Date: Mon, 3 Feb 2020 12:38:02 -0800 Subject: [PATCH] msm8974-common: libril: Fix OOB vulnerability in setGsm/CdmaSmsBroadcastConfigInfo Error if length > 25 Test: lunch cf_x86_phone-userdebug && mm Bug: 144046782 Change-Id: I18f9745174762a52fc20bfc7273c6b3fd2118da5 --- ril/include/telephony/ril.h | 1 + ril/libril/ril_service.cpp | 12 ++++++++++++ 2 files changed, 13 insertions(+) diff --git a/ril/include/telephony/ril.h b/ril/include/telephony/ril.h index a892359..df9d98b 100644 --- a/ril/include/telephony/ril.h +++ b/ril/include/telephony/ril.h @@ -108,6 +108,7 @@ extern "C" { #define MAX_BANDS 8 #define MAX_CHANNELS 32 #define MAX_RADIO_ACCESS_NETWORKS 8 +#define MAX_BROADCAST_SMS_CONFIG_INFO 25 typedef void * RIL_Token; diff --git a/ril/libril/ril_service.cpp b/ril/libril/ril_service.cpp index a8526b2..18062f9 100755 --- a/ril/libril/ril_service.cpp +++ b/ril/libril/ril_service.cpp @@ -1812,6 +1812,12 @@ Return RadioImpl::setGsmBroadcastConfig(int32_t serial, } int num = configInfo.size(); + if (num > MAX_BROADCAST_SMS_CONFIG_INFO) { + RLOGE("setGsmBroadcastConfig: Invalid configInfo length %s", + requestToString(pRI->pCI->requestNumber)); + sendErrorResponse(pRI, RIL_E_INVALID_ARGUMENTS); + return Void(); + } RIL_GSM_BroadcastSmsConfigInfo gsmBci[num]; RIL_GSM_BroadcastSmsConfigInfo *gsmBciPtrs[num]; @@ -1859,6 +1865,12 @@ Return RadioImpl::setCdmaBroadcastConfig(int32_t serial, } int num = configInfo.size(); + if (num > MAX_BROADCAST_SMS_CONFIG_INFO) { + RLOGE("setCdmaBroadcastConfig: Invalid configInfo length %s", + requestToString(pRI->pCI->requestNumber)); + sendErrorResponse(pRI, RIL_E_INVALID_ARGUMENTS); + return Void(); + } RIL_CDMA_BroadcastSmsConfigInfo cdmaBci[num]; RIL_CDMA_BroadcastSmsConfigInfo *cdmaBciPtrs[num];