projects / GitHub / LineageOS / android_hardware_samsung.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: bafa316)
xmm6260: Fix security vulnerability in pre-O rild code. cm-11.0
authorSanket Padawe <sanketpadawe@google.com>
Sat, 10 Feb 2018 21:40:59 +0000 (22:40 +0100)
committerTim Schumacher <timschumi@gmx.de>
Mon, 12 Feb 2018 12:27:32 +0000 (13:27 +0100)
Remove wrong code for setup_data_call.
Add check for max address for RIL_DIAL.

Bug: 37896655
Test: Manual.
(cherry picked from commit dda24c6557911aa1f4708abbd6b2f20f0e205b9e)

Change-Id: Ie6742b10247e552343e3fcf8b2d2520722a0b24d

ril/xmm6260/libril/ril.cpp patch | blob | blame | history

diff --git a/ril/xmm6260/libril/ril.cpp b/ril/xmm6260/libril/ril.cpp
index 42b19ffdbc4133f7c070c0597bc8a84c9ece0cfb..661d48d619ab24c0fe088a9fcfd94977d7eaf336 100755 (executable)
--- a/ril/xmm6260/libril/ril.cpp
+++ b/ril/xmm6260/libril/ril.cpp
@@ -3062,11 +3062,11 @@ static void debugCallback (int fd, short flags, void *param) {
     int data;
     unsigned int qxdm_data[6];
     const char *deactData[1] = {"1"};
-    char *actData[1];
     RIL_Dial dialData;
     int hangupData[1] = {1};
     int number;
     char **args;
+    int MAX_DIAL_ADDRESS = 128;
 
     acceptFD = accept (fd,  (sockaddr *) &peeraddr, &socklen);
 
@@ -3148,12 +3148,6 @@ static void debugCallback (int fd, short flags, void *param) {
             // Set network selection automatic.
             issueLocalRequest(RIL_REQUEST_SET_NETWORK_SELECTION_AUTOMATIC, NULL, 0);
             break;
-        case 6:
-            RLOGI("Debug port: Setup Data Call, Apn :%s\n", args[1]);
-            actData[0] = args[1];
-            issueLocalRequest(RIL_REQUEST_SETUP_DATA_CALL, &actData,
-                              sizeof(actData));
-            break;
         case 7:
             RLOGI("Debug port: Deactivate Data Call");
             issueLocalRequest(RIL_REQUEST_DEACTIVATE_DATA_CALL, &deactData,
@@ -3162,6 +3156,12 @@ static void debugCallback (int fd, short flags, void *param) {
         case 8:
             RLOGI("Debug port: Dial Call");
             dialData.clir = 0;
+            if (strlen(args[1]) > MAX_DIAL_ADDRESS) {
+                RLOGE("Debug port: Error calling Dial");
+                freeDebugCallbackArgs(number, args);
+                close(acceptFD);
+                return;
+            }
             dialData.address = args[1];
             issueLocalRequest(RIL_REQUEST_DIAL, &dialData, sizeof(dialData));
             break;