From 85fd87521f98c0af950f81910ce2652a8b041085 Mon Sep 17 00:00:00 2001 From: Sanket Padawe Date: Sat, 10 Feb 2018 22:40:59 +0100 Subject: [PATCH] xmm6260: Fix security vulnerability in pre-O rild code. Remove wrong code for setup_data_call. Add check for max address for RIL_DIAL. Bug: 37896655 Test: Manual. (cherry picked from commit dda24c6557911aa1f4708abbd6b2f20f0e205b9e) Change-Id: Ie6742b10247e552343e3fcf8b2d2520722a0b24d --- ril/xmm6260/libril/ril.cpp | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/ril/xmm6260/libril/ril.cpp b/ril/xmm6260/libril/ril.cpp index 42b19ff..661d48d 100755 --- a/ril/xmm6260/libril/ril.cpp +++ b/ril/xmm6260/libril/ril.cpp @@ -3062,11 +3062,11 @@ static void debugCallback (int fd, short flags, void *param) { int data; unsigned int qxdm_data[6]; const char *deactData[1] = {"1"}; - char *actData[1]; RIL_Dial dialData; int hangupData[1] = {1}; int number; char **args; + int MAX_DIAL_ADDRESS = 128; acceptFD = accept (fd, (sockaddr *) &peeraddr, &socklen); @@ -3148,12 +3148,6 @@ static void debugCallback (int fd, short flags, void *param) { // Set network selection automatic. issueLocalRequest(RIL_REQUEST_SET_NETWORK_SELECTION_AUTOMATIC, NULL, 0); break; - case 6: - RLOGI("Debug port: Setup Data Call, Apn :%s\n", args[1]); - actData[0] = args[1]; - issueLocalRequest(RIL_REQUEST_SETUP_DATA_CALL, &actData, - sizeof(actData)); - break; case 7: RLOGI("Debug port: Deactivate Data Call"); issueLocalRequest(RIL_REQUEST_DEACTIVATE_DATA_CALL, &deactData, @@ -3162,6 +3156,12 @@ static void debugCallback (int fd, short flags, void *param) { case 8: RLOGI("Debug port: Dial Call"); dialData.clir = 0; + if (strlen(args[1]) > MAX_DIAL_ADDRESS) { + RLOGE("Debug port: Error calling Dial"); + freeDebugCallbackArgs(number, args); + close(acceptFD); + return; + } dialData.address = args[1]; issueLocalRequest(RIL_REQUEST_DIAL, &dialData, sizeof(dialData)); break; -- 2.20.1