Android-x86
Fork
Donation

  • R/O
  • HTTP
  • SSH
  • HTTPS

hardware-ril: Commit

hardware/ril


Commit MetaInfo

Revision8d716a827e1a5890054208b5ab7abaec2ba4b221 (tree)
Time2017-09-29 02:15:05
AuthorSanket Padawe <sanketpadawe@goog...>
Commiterandroid-build-team Robot

Log Message

DO NOT MERGE
Fix security vulnerability in pre-O rild code.

Remove wrong code for setup_data_call.
Add check for max address for RIL_DIAL.

Bug: 37896655
Test: Manual.
Change-Id: I05c027140ae828a2653794fcdd94e1b1a130941b
(cherry picked from commit dda24c6557911aa1f4708abbd6b2f20f0e205b9e)

Change Summary

Incremental Difference

--- a/libril/ril.cpp
+++ b/libril/ril.cpp
@@ -4419,12 +4419,12 @@ static void debugCallback (int fd, short flags, void *param) {
44194419 int data;
44204420 unsigned int qxdm_data[6];
44214421 const char *deactData[1] = {"1"};
4422- char *actData[1];
44234422 RIL_Dial dialData;
44244423 int hangupData[1] = {1};
44254424 int number;
44264425 char **args;
44274426 RIL_SOCKET_ID socket_id = RIL_SOCKET_1;
4427+ int MAX_DIAL_ADDRESS = 128;
44284428 int sim_id = 0;
44294429
44304430 RLOGI("debugCallback for socket %s", rilSocketIdToString(socket_id));
@@ -4571,12 +4571,6 @@ static void debugCallback (int fd, short flags, void *param) {
45714571 // Set network selection automatic.
45724572 issueLocalRequest(RIL_REQUEST_SET_NETWORK_SELECTION_AUTOMATIC, NULL, 0, socket_id);
45734573 break;
4574- case 6:
4575- RLOGI("Debug port: Setup Data Call, Apn :%s\n", args[1]);
4576- actData[0] = args[1];
4577- issueLocalRequest(RIL_REQUEST_SETUP_DATA_CALL, &actData,
4578- sizeof(actData), socket_id);
4579- break;
45804574 case 7:
45814575 RLOGI("Debug port: Deactivate Data Call");
45824576 issueLocalRequest(RIL_REQUEST_DEACTIVATE_DATA_CALL, &deactData,
@@ -4585,6 +4579,12 @@ static void debugCallback (int fd, short flags, void *param) {
45854579 case 8:
45864580 RLOGI("Debug port: Dial Call");
45874581 dialData.clir = 0;
4582+ if (strlen(args[1]) > MAX_DIAL_ADDRESS) {
4583+ RLOGE("Debug port: Error calling Dial");
4584+ freeDebugCallbackArgs(number, args);
4585+ close(acceptFD);
4586+ return;
4587+ }
45884588 dialData.address = args[1];
45894589 issueLocalRequest(RIL_REQUEST_DIAL, &dialData, sizeof(dialData), socket_id);
45904590 break;
Show on old repository browser