Merge "Integer overflow leading to a buffer overflow"

2019-04-01 22:11:09 -07:00 · 2019-04-01 22:11:09 -07:00 · 3e614934d1
commit 3e614934d1
parent 449fdb73e2 b47ee496e5
2 changed files with 14 additions and 7 deletions
--- a/gnss/Agps.cpp
+++ b/gnss/Agps.cpp
@ -445,15 +445,14 @@ void AgpsStateMachine::setAPN(char* apn, unsigned int len){

    if (NULL != mAPN) {
        delete mAPN;
+        mAPN  = NULL;
    }

-    if (apn == NULL || len <= 0) {
+    if (NULL == apn || len <= 0 || len > MAX_APN_LEN || strlen(apn) != len) {
        LOC_LOGD("Invalid apn len (%d) or null apn", len);
        mAPN = NULL;
        mAPNLen = 0;
-    }
-
-    if (NULL != apn) {
+    } else {
        mAPN = new char[len+1];
        if (NULL != mAPN) {
            memcpy(mAPN, apn, len);
--- a/gnss/GnssAdapter.cpp
+++ b/gnss/GnssAdapter.cpp
@ -4054,6 +4054,8 @@ void GnssAdapter::dataConnOpenCommand(
            LOC_LOGV("AgpsMsgAtlOpenSuccess");
            if (mApnName == nullptr) {
                LOC_LOGE("%s] new allocation failed, fatal error.", __func__);
+                // Reporting the failure here
+                mAgpsManager->reportAtlClosed(mAgpsType);
                return;
            }
            memcpy(mApnName, apnName, apnLen);
@ -4070,10 +4072,16 @@ void GnssAdapter::dataConnOpenCommand(
            mAgpsManager->reportAtlOpenSuccess(mAgpsType, mApnName, mApnLen, mBearerType);
        }
    };
-
+    // Added inital length checks for apnlen check to avoid security issues
+    // In case of failure reporting the same
+    if (NULL == apnName || apnLen <= 0 || apnLen > MAX_APN_LEN || (strlen(apnName) != apnLen)) {
+        LOC_LOGe("%s]: incorrect apnlen length or incorrect apnName", __func__);
+        mAgpsManager.reportAtlClosed(agpsType);
+    } else {
        sendMsg( new AgpsMsgAtlOpenSuccess(
                    &mAgpsManager, agpsType, apnName, apnLen, bearerType));
    }
+}

 void GnssAdapter::dataConnClosedCommand(AGpsExtType agpsType){