hardware/ril
Revision | 8d716a827e1a5890054208b5ab7abaec2ba4b221 (tree) |
---|---|
Time | 2017-09-29 02:15:05 |
Author | Sanket Padawe <sanketpadawe@goog...> |
Commiter | android-build-team Robot |
DO NOT MERGE
Fix security vulnerability in pre-O rild code.
Remove wrong code for setup_data_call.
Add check for max address for RIL_DIAL.
Bug: 37896655
Test: Manual.
Change-Id: I05c027140ae828a2653794fcdd94e1b1a130941b
(cherry picked from commit dda24c6557911aa1f4708abbd6b2f20f0e205b9e)
@@ -4419,12 +4419,12 @@ static void debugCallback (int fd, short flags, void *param) { | ||
4419 | 4419 | int data; |
4420 | 4420 | unsigned int qxdm_data[6]; |
4421 | 4421 | const char *deactData[1] = {"1"}; |
4422 | - char *actData[1]; | |
4423 | 4422 | RIL_Dial dialData; |
4424 | 4423 | int hangupData[1] = {1}; |
4425 | 4424 | int number; |
4426 | 4425 | char **args; |
4427 | 4426 | RIL_SOCKET_ID socket_id = RIL_SOCKET_1; |
4427 | + int MAX_DIAL_ADDRESS = 128; | |
4428 | 4428 | int sim_id = 0; |
4429 | 4429 | |
4430 | 4430 | RLOGI("debugCallback for socket %s", rilSocketIdToString(socket_id)); |
@@ -4571,12 +4571,6 @@ static void debugCallback (int fd, short flags, void *param) { | ||
4571 | 4571 | // Set network selection automatic. |
4572 | 4572 | issueLocalRequest(RIL_REQUEST_SET_NETWORK_SELECTION_AUTOMATIC, NULL, 0, socket_id); |
4573 | 4573 | break; |
4574 | - case 6: | |
4575 | - RLOGI("Debug port: Setup Data Call, Apn :%s\n", args[1]); | |
4576 | - actData[0] = args[1]; | |
4577 | - issueLocalRequest(RIL_REQUEST_SETUP_DATA_CALL, &actData, | |
4578 | - sizeof(actData), socket_id); | |
4579 | - break; | |
4580 | 4574 | case 7: |
4581 | 4575 | RLOGI("Debug port: Deactivate Data Call"); |
4582 | 4576 | issueLocalRequest(RIL_REQUEST_DEACTIVATE_DATA_CALL, &deactData, |
@@ -4585,6 +4579,12 @@ static void debugCallback (int fd, short flags, void *param) { | ||
4585 | 4579 | case 8: |
4586 | 4580 | RLOGI("Debug port: Dial Call"); |
4587 | 4581 | dialData.clir = 0; |
4582 | + if (strlen(args[1]) > MAX_DIAL_ADDRESS) { | |
4583 | + RLOGE("Debug port: Error calling Dial"); | |
4584 | + freeDebugCallbackArgs(number, args); | |
4585 | + close(acceptFD); | |
4586 | + return; | |
4587 | + } | |
4588 | 4588 | dialData.address = args[1]; |
4589 | 4589 | issueLocalRequest(RIL_REQUEST_DIAL, &dialData, sizeof(dialData), socket_id); |
4590 | 4590 | break; |