diff --git a/gnss/Agps.cpp b/gnss/Agps.cpp index a4f6a307..9de13292 100644 --- a/gnss/Agps.cpp +++ b/gnss/Agps.cpp @@ -445,15 +445,14 @@ void AgpsStateMachine::setAPN(char* apn, unsigned int len){ if (NULL != mAPN) { delete mAPN; + mAPN = NULL; } - if (apn == NULL || len <= 0) { + if (NULL == apn || len <= 0 || len > MAX_APN_LEN || strlen(apn) != len) { LOC_LOGD("Invalid apn len (%d) or null apn", len); mAPN = NULL; mAPNLen = 0; - } - - if (NULL != apn) { + } else { mAPN = new char[len+1]; if (NULL != mAPN) { memcpy(mAPN, apn, len); diff --git a/gnss/GnssAdapter.cpp b/gnss/GnssAdapter.cpp index f6dff894..8d171a6d 100644 --- a/gnss/GnssAdapter.cpp +++ b/gnss/GnssAdapter.cpp @@ -3980,6 +3980,8 @@ void GnssAdapter::dataConnOpenCommand( LOC_LOGV("AgpsMsgAtlOpenSuccess"); if (mApnName == nullptr) { LOC_LOGE("%s] new allocation failed, fatal error.", __func__); + // Reporting the failure here + mAgpsManager->reportAtlClosed(mAgpsType); return; } memcpy(mApnName, apnName, apnLen); @@ -3996,9 +3998,15 @@ void GnssAdapter::dataConnOpenCommand( mAgpsManager->reportAtlOpenSuccess(mAgpsType, mApnName, mApnLen, mBearerType); } }; - - sendMsg( new AgpsMsgAtlOpenSuccess( - &mAgpsManager, agpsType, apnName, apnLen, bearerType)); + // Added inital length checks for apnlen check to avoid security issues + // In case of failure reporting the same + if (NULL == apnName || apnLen <= 0 || apnLen > MAX_APN_LEN || (strlen(apnName) != apnLen)) { + LOC_LOGe("%s]: incorrect apnlen length or incorrect apnName", __func__); + mAgpsManager.reportAtlClosed(agpsType); + } else { + sendMsg( new AgpsMsgAtlOpenSuccess( + &mAgpsManager, agpsType, apnName, apnLen, bearerType)); + } } void GnssAdapter::dataConnClosedCommand(AGpsExtType agpsType){