[automerger skipped] DO NOT MERGE - Merge qt-qpr1-dev-plus-aosp@6304901 into stage-aosp-master am: d4eef49c06 -s ours
am skip reason: subject contains skip directive
Change-Id: Ia0c335d109d514a265db752851ccba57ff5376ea
diff --git a/msm8998/gnss/Agps.cpp b/msm8998/gnss/Agps.cpp
index e671daa..f2fcdd9 100644
--- a/msm8998/gnss/Agps.cpp
+++ b/msm8998/gnss/Agps.cpp
@@ -452,19 +452,20 @@
if (NULL != mAPN) {
delete mAPN;
+ mAPN = NULL;
}
- if (apn == NULL || len <= 0) {
+ if (NULL == apn || len <= 0 || len > MAX_APN_LEN || strlen(apn) != len) {
LOC_LOGD("Invalid apn len (%d) or null apn", len);
mAPN = NULL;
mAPNLen = 0;
- }
-
- if (NULL != apn) {
+ } else {
mAPN = new char[len+1];
- memcpy(mAPN, apn, len);
- mAPN[len] = '\0';
- mAPNLen = len;
+ if (NULL != mAPN) {
+ memcpy(mAPN, apn, len);
+ mAPN[len] = '\0';
+ mAPNLen = len;
+ }
}
}
diff --git a/msm8998/gnss/GnssAdapter.cpp b/msm8998/gnss/GnssAdapter.cpp
index 4de1129..98535f4 100644
--- a/msm8998/gnss/GnssAdapter.cpp
+++ b/msm8998/gnss/GnssAdapter.cpp
@@ -2544,6 +2544,12 @@
new char[apnLen + 1]), mApnLen(apnLen), mIpType(ipType) {
LOC_LOGV("AgpsMsgAtlOpenSuccess");
+ if (mApnName == nullptr) {
+ LOC_LOGE("%s] new allocation failed, fatal error.", __func__);
+ // Reporting the failure here
+ mAgpsManager->reportAtlClosed(mAgpsType);
+ return;
+ }
memcpy(mApnName, apnName, apnLen);
mApnName[apnLen] = 0;
}
@@ -2559,9 +2565,15 @@
mIpType);
}
};
-
+ // Added inital length checks for apnlen check to avoid security issues
+ // In case of failure reporting the same
+ if (NULL == apnName || apnLen <= 0 || apnLen > MAX_APN_LEN || (strlen(apnName) != apnLen)) {
+ LOC_LOGe("%s]: incorrect apnlen length or incorrect apnName", __func__);
+ mAgpsManager.reportAtlClosed(agpsType);
+ } else {
sendMsg( new AgpsMsgAtlOpenSuccess(
&mAgpsManager, (AGpsExtType)agpsType, apnName, apnLen, ipType));
+ }
}
void GnssAdapter::dataConnClosedCommand(AGpsExtType agpsType){
