Fix OOB vulnerability in setGsm/CdmaSmsBroadcastConfigInfo

Error if length > 25

Test: lunch cf_x86_phone-userdebug && mm
Bug: 144046782
Change-Id: I18f9745174762a52fc20bfc7273c6b3fd2118da5
Merged-In: I18f9745174762a52fc20bfc7273c6b3fd2118da5

2 files changed, 13 insertions, 0 deletions

diff --git a/include/telephony/ril.h b/include/telephony/ril.h
index e189777..7530146 100644
--- a/include/telephony/ril.h
+++ b/include/telephony/ril.h
@@ -107,6 +107,7 @@ extern "C" {
 #define MAX_BANDS 8
 #define MAX_CHANNELS 32
 #define MAX_RADIO_ACCESS_NETWORKS 8
+#define MAX_BROADCAST_SMS_CONFIG_INFO 25
 
 
 typedef void * RIL_Token;
diff --git a/libril/ril_service.cpp b/libril/ril_service.cpp
index c655672..c97b607 100755
--- a/libril/ril_service.cpp
+++ b/libril/ril_service.cpp
@@ -1799,6 +1799,12 @@ Return<void> RadioImpl::setGsmBroadcastConfig(int32_t serial,
     }
 
     int num = configInfo.size();
+    if (num > MAX_BROADCAST_SMS_CONFIG_INFO) {
+        RLOGE("setGsmBroadcastConfig: Invalid configInfo length %s",
+                requestToString(pRI->pCI->requestNumber));
+        sendErrorResponse(pRI, RIL_E_INVALID_ARGUMENTS);
+        return Void();
+    }
     RIL_GSM_BroadcastSmsConfigInfo gsmBci[num];
     RIL_GSM_BroadcastSmsConfigInfo *gsmBciPtrs[num];
 
@@ -1846,6 +1852,12 @@ Return<void> RadioImpl::setCdmaBroadcastConfig(int32_t serial,
     }
 
     int num = configInfo.size();
+    if (num > MAX_BROADCAST_SMS_CONFIG_INFO) {
+        RLOGE("setCdmaBroadcastConfig: Invalid configInfo length %s",
+                requestToString(pRI->pCI->requestNumber));
+        sendErrorResponse(pRI, RIL_E_INVALID_ARGUMENTS);
+        return Void();
+    }
     RIL_CDMA_BroadcastSmsConfigInfo cdmaBci[num];
     RIL_CDMA_BroadcastSmsConfigInfo *cdmaBciPtrs[num];