Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit bf6b2ee3 authored by Pengquan Meng's avatar Pengquan Meng
Browse files

Fix Inavlid Pdu Issue mnc-dev 

The device may receive invalid sms pdu, i.e the pdu contins sms header
with an invalid seqNumber. This caused InboundSmsHandler crashed constantly.
This CL added the range check for the seqNumber to ensure the
InboundSmsHandler will not crash even if the seqNumber is invalid.

Bug: 72298611
Test: no test

Merged-In: I219961d63bbb3b9195cfea8b38a877a00af70522
Merged-In: Icf291c8530abdc2a528c5cf227cf00135281b899
Change-Id: Icf24f88bf73640ba519943c3a8c8f9c4afd8c4c3
parent 7933d601

src/java/com/android/internal/telephony/InboundSmsHandler.java

+29 −0
Original line number Diff line number Diff line
@@ -66,6 +66,7 @@ import android.telephony.SmsMessage; 
import android.telephony.SubscriptionManager;

import android.telephony.TelephonyManager;

import android.text.TextUtils;

import android.util.EventLog;



import com.android.internal.telephony.uicc.UiccCard;

import com.android.internal.telephony.uicc.UiccController;
@@ -691,6 +692,18 @@ public abstract class InboundSmsHandler extends StateMachine { 
        byte[][] pdus;

        int destPort = tracker.getDestPort();



        // Do not process when the message count is invalid.

        if (messageCount <= 0) {

            EventLog.writeEvent(

                    0x534e4554 /* snetTagId */,

                    "72298611" /* buganizer id */,

                    -1 /* uid */,

                    String.format(

                        "processMessagePart: invalid messageCount = %d",

                        messageCount));

            return false;

        }



        if (messageCount == 1) {

            // single-part message

            pdus = new byte[][]{tracker.getPdu()};
@@ -724,6 +737,22 @@ public abstract class InboundSmsHandler extends StateMachine { 
                    // subtract offset to convert sequence to 0-based array index

                    int index = cursor.getInt(SEQUENCE_COLUMN) - tracker.getIndexOffset();



                    // The invalid PDUs can be received and stored in the raw table. The range

                    // check ensures the process not crash even if the seqNumber in the

                    // UserDataHeader is invalid.

                    if (index >= pdus.length || index < 0) {

                        EventLog.writeEvent(

                                0x534e4554 /* snetTagId */,

                                "72298611" /* buganizer id */,

                                -1 /* uid */,

                                String.format(

                                    "processMessagePart: invalid seqNumber = %d, "

                                    + "messageCount = %d",

                                    index + tracker.getIndexOffset(),

                                    messageCount));

                        continue;

                    }



                    pdus[index] = HexDump.hexStringToByteArray(cursor.getString(PDU_COLUMN));



                    // Read the destination port from the first segment (needed for CDMA WAP PDU).