Fixing security vulnerabilities in ril.cpp
Bug: 26522805
Change-Id: I8fa19a202b3ebe13dc617b417218b4f40fa8a702
diff --git a/libril/ril.cpp b/libril/ril.cpp
index cf93697..b4d914d 100755
--- a/libril/ril.cpp
+++ b/libril/ril.cpp
@@ -94,6 +94,7 @@
/* Negative values for private RIL errno's */
#define RIL_ERRNO_INVALID_RESPONSE -1
+#define RIL_ERRNO_NO_MEMORY -12
// request, response, and unsolicited msg print macro
#define PRINTBUF_SIZE 8096
@@ -463,6 +464,10 @@
#endif
pRI = (RequestInfo *)calloc(1, sizeof(RequestInfo));
+ if (pRI == NULL) {
+ RLOGE("Memory allocation failed for request %s", requestToString(request));
+ return;
+ }
pRI->local = 1;
pRI->token = 0xffffffff; // token is not used in this context
@@ -550,6 +555,10 @@
pRI = (RequestInfo *)calloc(1, sizeof(RequestInfo));
+ if (pRI == NULL) {
+ RLOGE("Memory allocation failed for request %s", requestToString(request));
+ return 0;
+ }
pRI->token = token;
pRI->pCI = &(s_commands[request]);
@@ -632,6 +641,13 @@
if (countStrings == 0) {
// just some non-null pointer
pStrings = (char **)alloca(sizeof(char *));
+ if (pStrings == NULL) {
+ RLOGE("Memory allocation failed for request %s",
+ requestToString(pRI->pCI->requestNumber));
+ closeRequest;
+ return;
+ }
+
datalen = 0;
} else if (((int)countStrings) == -1) {
pStrings = NULL;
@@ -640,6 +656,12 @@
datalen = sizeof(char *) * countStrings;
pStrings = (char **)alloca(datalen);
+ if (pStrings == NULL) {
+ RLOGE("Memory allocation failed for request %s",
+ requestToString(pRI->pCI->requestNumber));
+ closeRequest;
+ return;
+ }
for (int i = 0 ; i < countStrings ; i++) {
pStrings[i] = strdupReadString(p);
@@ -687,6 +709,10 @@
datalen = sizeof(int) * count;
pInts = (int *)alloca(datalen);
+ if (pInts == NULL) {
+ RLOGE("Memory allocation failed for request %s", requestToString(pRI->pCI->requestNumber));
+ return;
+ }
startRequest;
for (int i = 0 ; i < count ; i++) {
@@ -1291,6 +1317,13 @@
if (countStrings == 0) {
// just some non-null pointer
pStrings = (char **)alloca(sizeof(char *));
+ if (pStrings == NULL) {
+ RLOGE("Memory allocation failed for request %s",
+ requestToString(pRI->pCI->requestNumber));
+ closeRequest;
+ return;
+ }
+
datalen = 0;
} else if (((int)countStrings) == -1) {
pStrings = NULL;
@@ -1299,6 +1332,12 @@
datalen = sizeof(char *) * countStrings;
pStrings = (char **)alloca(datalen);
+ if (pStrings == NULL) {
+ RLOGE("Memory allocation failed for request %s",
+ requestToString(pRI->pCI->requestNumber));
+ closeRequest;
+ return;
+ }
for (int i = 0 ; i < countStrings ; i++) {
pStrings[i] = strdupReadString(p);
@@ -1949,8 +1988,21 @@
}
{
- RIL_DataProfileInfo dataProfiles[num];
- RIL_DataProfileInfo *dataProfilePtrs[num];
+ RIL_DataProfileInfo *dataProfiles =
+ (RIL_DataProfileInfo *)malloc(num * sizeof(RIL_DataProfileInfo));
+ if (dataProfiles == NULL) {
+ RLOGE("Memory allocation failed for request %s",
+ requestToString(pRI->pCI->requestNumber));
+ return;
+ }
+ RIL_DataProfileInfo **dataProfilePtrs =
+ (RIL_DataProfileInfo **)malloc(num * sizeof(RIL_DataProfileInfo *));
+ if (dataProfilePtrs == NULL) {
+ RLOGE("Memory allocation failed for request %s",
+ requestToString(pRI->pCI->requestNumber));
+ free(dataProfiles);
+ return;
+ }
startRequest;
for (int i = 0 ; i < num ; i++ ) {
@@ -1992,6 +2044,8 @@
printRequest(pRI->token, pRI->pCI->requestNumber);
if (status != NO_ERROR) {
+ free(dataProfiles);
+ free(dataProfilePtrs);
goto invalid;
}
CALL_ONREQUEST(pRI->pCI->requestNumber,
@@ -2003,6 +2057,8 @@
memset(dataProfiles, 0, num * sizeof(RIL_DataProfileInfo));
memset(dataProfilePtrs, 0, num * sizeof(RIL_DataProfileInfo *));
#endif
+ free(dataProfiles);
+ free(dataProfilePtrs);
}
return;
@@ -2822,6 +2878,11 @@
}
string8 = (char*) malloc((infoRec->rec.display.alpha_len + 1)
* sizeof(char) );
+ if (string8 == NULL) {
+ RLOGE("Memory allocation failed for responseCdmaInformationRecords");
+ closeRequest;
+ return RIL_ERRNO_NO_MEMORY;
+ }
for (int i = 0 ; i < infoRec->rec.display.alpha_len ; i++) {
string8[i] = infoRec->rec.display.alpha_buf[i];
}
@@ -2842,6 +2903,11 @@
}
string8 = (char*) malloc((infoRec->rec.number.len + 1)
* sizeof(char) );
+ if (string8 == NULL) {
+ RLOGE("Memory allocation failed for responseCdmaInformationRecords");
+ closeRequest;
+ return RIL_ERRNO_NO_MEMORY;
+ }
for (int i = 0 ; i < infoRec->rec.number.len; i++) {
string8[i] = infoRec->rec.number.buf[i];
}
@@ -2879,6 +2945,11 @@
}
string8 = (char*) malloc((infoRec->rec.redir.redirectingNumber
.len + 1) * sizeof(char) );
+ if (string8 == NULL) {
+ RLOGE("Memory allocation failed for responseCdmaInformationRecords");
+ closeRequest;
+ return RIL_ERRNO_NO_MEMORY;
+ }
for (int i = 0;
i < infoRec->rec.redir.redirectingNumber.len;
i++) {
@@ -4361,23 +4432,39 @@
if (recv(acceptFD, &number, sizeof(int), 0) != sizeof(int)) {
RLOGE ("error reading on socket: number of Args: \n");
+ close(acceptFD);
return;
}
+
args = (char **) malloc(sizeof(char*) * number);
+ if (args == NULL) {
+ RLOGE("Memory allocation failed for debug args");
+ close(acceptFD);
+ return;
+ }
for (int i = 0; i < number; i++) {
int len;
if (recv(acceptFD, &len, sizeof(int), 0) != sizeof(int)) {
RLOGE ("error reading on socket: Len of Args: \n");
freeDebugCallbackArgs(i, args);
+ close(acceptFD);
return;
}
+
// +1 for null-term
args[i] = (char *) malloc((sizeof(char) * len) + 1);
+ if (args[i] == NULL) {
+ RLOGE("Memory allocation failed for debug args");
+ freeDebugCallbackArgs(i, args);
+ close(acceptFD);
+ return;
+ }
if (recv(acceptFD, args[i], sizeof(char) * len, 0)
!= (int)sizeof(char) * len) {
RLOGE ("error reading on socket: Args[%d] \n", i);
freeDebugCallbackArgs(i, args);
+ close(acceptFD);
return;
}
char * buf = args[i];
@@ -5021,14 +5108,18 @@
ret = pthread_mutex_lock(&s_wakeLockCountMutex);
assert(ret == 0);
acquire_wake_lock(PARTIAL_WAKE_LOCK, ANDROID_WAKE_LOCK_NAME);
- s_wakelock_count++;
- if (s_last_wake_timeout_info != NULL) {
- s_last_wake_timeout_info->userParam = (void *)1;
+
+ UserCallbackInfo *p_info =
+ internalRequestTimedCallback(wakeTimeoutCallback, NULL, &TIMEVAL_WAKE_TIMEOUT);
+ if (p_info == NULL) {
+ release_wake_lock(ANDROID_WAKE_LOCK_NAME);
+ } else {
+ s_wakelock_count++;
+ if (s_last_wake_timeout_info != NULL) {
+ s_last_wake_timeout_info->userParam = (void *)1;
+ }
+ s_last_wake_timeout_info = p_info;
}
-
- s_last_wake_timeout_info
- = internalRequestTimedCallback(wakeTimeoutCallback, NULL, &TIMEVAL_WAKE_TIMEOUT);
-
ret = pthread_mutex_unlock(&s_wakeLockCountMutex);
assert(ret == 0);
} else {
@@ -5299,6 +5390,23 @@
break;
}
+ if (s_callbacks.version < 13) {
+ if (shouldScheduleTimeout) {
+ UserCallbackInfo *p_info = internalRequestTimedCallback(wakeTimeoutCallback, NULL,
+ &TIMEVAL_WAKE_TIMEOUT);
+
+ if (p_info == NULL) {
+ goto error_exit;
+ } else {
+ // Cancel the previous request
+ if (s_last_wake_timeout_info != NULL) {
+ s_last_wake_timeout_info->userParam = (void *)1;
+ }
+ s_last_wake_timeout_info = p_info;
+ }
+ }
+ }
+
#if VDBG
RLOGI("%s UNSOLICITED: %s length:%d", rilSocketIdToString(soc_id), requestToString(unsolResponse), p.dataSize());
#endif
@@ -5316,23 +5424,14 @@
}
s_lastNITZTimeData = malloc(p.dataSize());
+ if (s_lastNITZTimeData == NULL) {
+ RLOGE("Memory allocation failed in RIL_onUnsolicitedResponse");
+ goto error_exit;
+ }
s_lastNITZTimeDataSize = p.dataSize();
memcpy(s_lastNITZTimeData, p.data(), p.dataSize());
}
- if (s_callbacks.version < 13) {
- if (shouldScheduleTimeout) {
- // Cancel the previous request
- if (s_last_wake_timeout_info != NULL) {
- s_last_wake_timeout_info->userParam = (void *)1;
- }
-
- s_last_wake_timeout_info
- = internalRequestTimedCallback(wakeTimeoutCallback, NULL,
- &TIMEVAL_WAKE_TIMEOUT);
- }
- }
-
// Normal exit
return;
@@ -5353,6 +5452,11 @@
UserCallbackInfo *p_info;
p_info = (UserCallbackInfo *) malloc (sizeof(UserCallbackInfo));
+ if (p_info == NULL) {
+ RLOGE("Memory allocation failed in internalRequestTimedCallback");
+ return p_info;
+
+ }
p_info->p_callback = callback;
p_info->userParam = param;