MiPad4/android_device_xiaomi_sdm660-common
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Integer overflow leading to a buffer overflow

Browse source 
Added a length check in to avoid integer overflow
in dataConnOpenCommand and set APN methods.
As the APN name is like few 100bytes so
using the micro defined int gps_extended_c.h

Change-Id: Idb5ebbf2e3647de5fa07673f248c0c256d6c1b52
CRs-fixed: 2419292
This commit is contained in:
Nilesh Gharde 2019-03-22 17:26:09 +05:30 committed by Gerrit - the friendly Code Review server
parent 01869b4004
commit b47ee496e5
2 changed files with 14 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
gnss/Agps.cpp
View file

@ -445,15 +445,14 @@ void AgpsStateMachine::setAPN(char* apn, unsigned int len){
if (NULL != mAPN) { if (NULL != mAPN) {
delete mAPN; delete mAPN;
mAPN = NULL;
} }
if (apn == NULL || len <= 0) { if (NULL == apn || len <= 0 || len > MAX_APN_LEN || strlen(apn) != len) {
LOC_LOGD("Invalid apn len (%d) or null apn", len); LOC_LOGD("Invalid apn len (%d) or null apn", len);
mAPN = NULL; mAPN = NULL;
mAPNLen = 0; mAPNLen = 0;
} } else {
if (NULL != apn) {
mAPN = new char[len+1]; mAPN = new char[len+1];
if (NULL != mAPN) { if (NULL != mAPN) {
memcpy(mAPN, apn, len); memcpy(mAPN, apn, len);

14
gnss/GnssAdapter.cpp
View file

@ -3980,6 +3980,8 @@ void GnssAdapter::dataConnOpenCommand(
LOC_LOGV("AgpsMsgAtlOpenSuccess"); LOC_LOGV("AgpsMsgAtlOpenSuccess");
if (mApnName == nullptr) { if (mApnName == nullptr) {
LOC_LOGE("%s] new allocation failed, fatal error.", __func__); LOC_LOGE("%s] new allocation failed, fatal error.", __func__);
// Reporting the failure here
mAgpsManager->reportAtlClosed(mAgpsType);
return; return;
} }
memcpy(mApnName, apnName, apnLen); memcpy(mApnName, apnName, apnLen);
@ -3996,9 +3998,15 @@ void GnssAdapter::dataConnOpenCommand(
mAgpsManager->reportAtlOpenSuccess(mAgpsType, mApnName, mApnLen, mBearerType); mAgpsManager->reportAtlOpenSuccess(mAgpsType, mApnName, mApnLen, mBearerType);
} }
}; };
// Added inital length checks for apnlen check to avoid security issues
sendMsg( new AgpsMsgAtlOpenSuccess( // In case of failure reporting the same
&mAgpsManager, agpsType, apnName, apnLen, bearerType)); if (NULL == apnName || apnLen <= 0 || apnLen > MAX_APN_LEN || (strlen(apnName) != apnLen)) {
LOC_LOGe("%s]: incorrect apnlen length or incorrect apnName", __func__);
mAgpsManager.reportAtlClosed(agpsType);
} else {
sendMsg( new AgpsMsgAtlOpenSuccess(
&mAgpsManager, agpsType, apnName, apnLen, bearerType));
}
} }
void GnssAdapter::dataConnClosedCommand(AGpsExtType agpsType){ void GnssAdapter::dataConnClosedCommand(AGpsExtType agpsType){