Check intent action in OMS.PackageReceiver for secure coding
NullPointerException occurs when OMS receives an intent with null action.
In constructor of OverlayManagerService, OMS.PackageReceiver is registered
with data scheme "package".
If a malicious app send broadcast intent only with data scheme "package",
NPE occurs because OMS.PackageReceiver does not check
whether intent.getAction() is null or not.
So add a logic to ignore intent with null action for secure coding.
Test: send broadcast without action like below.
Intent intent = new Intent();
Uri uri = Uri.parse("package:com.test");
intent.setData(uri);
intent.addFlags(0x01000000);
sendBroadcast(intent);
Change-Id: I654f54a8a685de2ab985b87f53ad07c4e27db09d
Signed-off-by: Youngha Park <yh007.park@samsung.com>
diff --git a/services/core/java/com/android/server/om/OverlayManagerService.java b/services/core/java/com/android/server/om/OverlayManagerService.java
index 2940a6e..ad1f3e9 100644
--- a/services/core/java/com/android/server/om/OverlayManagerService.java
+++ b/services/core/java/com/android/server/om/OverlayManagerService.java
@@ -321,6 +321,11 @@
private final class PackageReceiver extends BroadcastReceiver {
@Override
public void onReceive(@NonNull final Context context, @NonNull final Intent intent) {
+ final String action = intent.getAction();
+ if (action == null) {
+ Slog.e(TAG, "Cannot handle package broadcast with null action");
+ return;
+ }
final Uri data = intent.getData();
if (data == null) {
Slog.e(TAG, "Cannot handle package broadcast with null data");
@@ -338,7 +343,7 @@
userIds = new int[] { UserHandle.getUserId(extraUid) };
}
- switch (intent.getAction()) {
+ switch (action) {
case ACTION_PACKAGE_ADDED:
if (replacing) {
onPackageUpgraded(packageName, userIds);