From 550885d158f5371cb207228eb1b7fb06aac32ea3 Mon Sep 17 00:00:00 2001 From: Tammo Spalink Date: Fri, 22 May 2009 13:08:52 +0800 Subject: [PATCH] added SmsMessage ConcatRef parsing validation addresses bugs: http://b/issue?id=1870607 http://b/issue?id=1688238 and prior perforce commit: http://s9/?change_num=136189 --- .../android/internal/telephony/SmsHeader.java | 15 ++++++-- .../com/android/unit_tests/CdmaSmsTest.java | 37 +++++++++++++++++++ 2 files changed, 49 insertions(+), 3 deletions(-) diff --git a/telephony/java/com/android/internal/telephony/SmsHeader.java b/telephony/java/com/android/internal/telephony/SmsHeader.java index d220648c96594..7872eec1ad208 100644 --- a/telephony/java/com/android/internal/telephony/SmsHeader.java +++ b/telephony/java/com/android/internal/telephony/SmsHeader.java @@ -111,7 +111,10 @@ public class SmsHeader { /** * NOTE: as defined in the spec, ConcatRef and PortAddr * fields should not reoccur, but if they do the last - * occurrence is to be used. + * occurrence is to be used. Also, for ConcatRef + * elements, if the count is zero, sequence is zero, or + * sequence is larger than count, the entire element is to + * be ignored. */ int id = inStream.read(); int length = inStream.read(); @@ -124,7 +127,10 @@ public class SmsHeader { concatRef.msgCount = inStream.read(); concatRef.seqNumber = inStream.read(); concatRef.isEightBits = true; - smsHeader.concatRef = concatRef; + if (concatRef.msgCount != 0 && concatRef.seqNumber != 0 && + concatRef.seqNumber <= concatRef.msgCount) { + smsHeader.concatRef = concatRef; + } break; case ELT_ID_CONCATENATED_16_BIT_REFERENCE: concatRef = new ConcatRef(); @@ -132,7 +138,10 @@ public class SmsHeader { concatRef.msgCount = inStream.read(); concatRef.seqNumber = inStream.read(); concatRef.isEightBits = false; - smsHeader.concatRef = concatRef; + if (concatRef.msgCount != 0 && concatRef.seqNumber != 0 && + concatRef.seqNumber <= concatRef.msgCount) { + smsHeader.concatRef = concatRef; + } break; case ELT_ID_APPLICATION_PORT_ADDRESSING_8_BIT: portAddrs = new PortAddrs(); diff --git a/tests/AndroidTests/src/com/android/unit_tests/CdmaSmsTest.java b/tests/AndroidTests/src/com/android/unit_tests/CdmaSmsTest.java index f8d5d4dde0fe6..75fd1575a5d64 100644 --- a/tests/AndroidTests/src/com/android/unit_tests/CdmaSmsTest.java +++ b/tests/AndroidTests/src/com/android/unit_tests/CdmaSmsTest.java @@ -168,6 +168,43 @@ public class CdmaSmsTest extends AndroidTestCase { assertEquals(decodedHeader.portAddrs, null); } + @SmallTest + public void testUserDataHeaderIllegalConcatRef() throws Exception { + BearerData bearerData = new BearerData(); + bearerData.messageType = BearerData.MESSAGE_TYPE_DELIVER; + bearerData.messageId = 55; + SmsHeader.ConcatRef concatRef = new SmsHeader.ConcatRef(); + concatRef.refNumber = 0x10; + concatRef.msgCount = 0; + concatRef.seqNumber = 2; + concatRef.isEightBits = true; + SmsHeader smsHeader = new SmsHeader(); + smsHeader.concatRef = concatRef; + byte[] encodedHeader = SmsHeader.toByteArray(smsHeader); + SmsHeader decodedHeader = SmsHeader.fromByteArray(encodedHeader); + assertEquals(decodedHeader.concatRef, null); + concatRef.isEightBits = false; + encodedHeader = SmsHeader.toByteArray(smsHeader); + decodedHeader = SmsHeader.fromByteArray(encodedHeader); + assertEquals(decodedHeader.concatRef, null); + concatRef.msgCount = 1; + concatRef.seqNumber = 2; + encodedHeader = SmsHeader.toByteArray(smsHeader); + decodedHeader = SmsHeader.fromByteArray(encodedHeader); + assertEquals(decodedHeader.concatRef, null); + concatRef.msgCount = 1; + concatRef.seqNumber = 0; + encodedHeader = SmsHeader.toByteArray(smsHeader); + decodedHeader = SmsHeader.fromByteArray(encodedHeader); + assertEquals(decodedHeader.concatRef, null); + concatRef.msgCount = 2; + concatRef.seqNumber = 1; + encodedHeader = SmsHeader.toByteArray(smsHeader); + decodedHeader = SmsHeader.fromByteArray(encodedHeader); + assertEquals(decodedHeader.concatRef.msgCount, 2); + assertEquals(decodedHeader.concatRef.seqNumber, 1); + } + @SmallTest public void testUserDataHeaderMixedFeedback() throws Exception { BearerData bearerData = new BearerData();