Fix bug in CDMA WDP datagram handling (fixes incoming MMS).
CDMA WDP datagram handling was refactored to use the same method
that handles concatenated SMS messages. WDP datagram sequence numbers
start at 0, but GSM/CDMA concatenated sequence numbers start at 1.
Changed SMSDispatcher.processMessagePart() to count from 0 when
handling WDP datagrams.
Also changed CdmaSMSDispatcher.processCdmaWapPdu() to correctly
decode segment numbers > 127 (signed byte conversion bug)
and to reject PDUs with an out-of-range segment number (invalid
ranges are already rejected for regular concatenated messages).
Bug: 5433331
Change-Id: I25c9567769de8edca789c0d1707d4916a4c46885
diff --git a/telephony/java/com/android/internal/telephony/SMSDispatcher.java b/telephony/java/com/android/internal/telephony/SMSDispatcher.java
index e4c6028..a42a267 100644
--- a/telephony/java/com/android/internal/telephony/SMSDispatcher.java
+++ b/telephony/java/com/android/internal/telephony/SMSDispatcher.java
@@ -518,6 +518,7 @@
* @param address the originating address
* @param referenceNumber distinguishes concatenated messages from the same sender
* @param sequenceNumber the order of this segment in the message
+ * (starting at 0 for CDMA WDP datagrams and 1 for concatenated messages).
* @param messageCount the number of segments in the message
* @param timestamp the service center timestamp in millis
* @param destPort the destination port for the message, or -1 for no destination port
@@ -583,7 +584,11 @@
for (int i = 0; i < cursorCount; i++) {
cursor.moveToNext();
int cursorSequence = cursor.getInt(SEQUENCE_COLUMN);
- pdus[cursorSequence - 1] = HexDump.hexStringToByteArray(
+ // GSM sequence numbers start at 1; CDMA WDP datagram sequence numbers start at 0
+ if (!isCdmaWapPush) {
+ cursorSequence--;
+ }
+ pdus[cursorSequence] = HexDump.hexStringToByteArray(
cursor.getString(PDU_COLUMN));
// Read the destination port from the first segment (needed for CDMA WAP PDU).
@@ -593,7 +598,12 @@
}
}
// This one isn't in the DB, so add it
- pdus[sequenceNumber - 1] = pdu;
+ // GSM sequence numbers start at 1; CDMA WDP datagram sequence numbers start at 0
+ if (isCdmaWapPush) {
+ pdus[sequenceNumber] = pdu;
+ } else {
+ pdus[sequenceNumber - 1] = pdu;
+ }
// Remove the parts from the database
mResolver.delete(mRawUri, where, whereArgs);
diff --git a/telephony/java/com/android/internal/telephony/cdma/CdmaSMSDispatcher.java b/telephony/java/com/android/internal/telephony/cdma/CdmaSMSDispatcher.java
index fe41e7e..ca8d9ae 100755
--- a/telephony/java/com/android/internal/telephony/cdma/CdmaSMSDispatcher.java
+++ b/telephony/java/com/android/internal/telephony/cdma/CdmaSMSDispatcher.java
@@ -198,13 +198,18 @@
protected int processCdmaWapPdu(byte[] pdu, int referenceNumber, String address) {
int index = 0;
- int msgType = pdu[index++];
+ int msgType = (0xFF & pdu[index++]);
if (msgType != 0) {
Log.w(TAG, "Received a WAP SMS which is not WDP. Discard.");
return Intents.RESULT_SMS_HANDLED;
}
- int totalSegments = pdu[index++]; // >= 1
- int segment = pdu[index++]; // >= 0
+ int totalSegments = (0xFF & pdu[index++]); // >= 1
+ int segment = (0xFF & pdu[index++]); // >= 0
+
+ if (segment >= totalSegments) {
+ Log.e(TAG, "WDP bad segment #" + segment + " expecting 0-" + (totalSegments - 1));
+ return Intents.RESULT_SMS_HANDLED;
+ }
// Only the first segment contains sourcePort and destination Port
int sourcePort = 0;