summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavid Christie <dnchrist@google.com>2016-08-23 16:19:51 -0700
committergitbuildkicker <android-build@google.com>2016-08-25 21:56:23 -0700
commitf1e317003659e9097f760a4b680dd595abed2e3e (patch)
tree847c81c0d72e4d3fbcc34c95946841f6eba9ad26
parentca692c228dfef0b0d7f51597e726180d3f70c66c (diff)
downloadframeworks_base-f1e317003659e9097f760a4b680dd595abed2e3e.zip
frameworks_base-f1e317003659e9097f760a4b680dd595abed2e3e.tar.gz
frameworks_base-f1e317003659e9097f760a4b680dd595abed2e3e.tar.bz2
DO NOT MERGE: Fix vulnerability where large GPS XTRA data can be
injected. -Can potentially crash system with OOM. Bug: 29555864 Change-Id: I7157f48dddf148a9bcab029cf12e26a58d8054f4 (cherry picked from commit 5439aabb165b5a760d1e580016bf1d6fd963cb65)
-rw-r--r--services/core/java/com/android/server/location/GpsXtraDownloader.java21
1 files changed, 19 insertions, 2 deletions
diff --git a/services/core/java/com/android/server/location/GpsXtraDownloader.java b/services/core/java/com/android/server/location/GpsXtraDownloader.java
index 3585049..6310361 100644
--- a/services/core/java/com/android/server/location/GpsXtraDownloader.java
+++ b/services/core/java/com/android/server/location/GpsXtraDownloader.java
@@ -21,8 +21,11 @@ import android.util.Log;
import java.net.HttpURLConnection;
import java.net.URL;
-import libcore.io.Streams;
+import libcore.io.IoUtils;
+
+import java.io.ByteArrayOutputStream;
+import java.io.InputStream;
import java.io.IOException;
import java.util.Properties;
import java.util.Random;
@@ -36,6 +39,7 @@ public class GpsXtraDownloader {
private static final String TAG = "GpsXtraDownloader";
private static final boolean DEBUG = Log.isLoggable(TAG, Log.DEBUG);
+ private static final long MAXIMUM_CONTENT_LENGTH_BYTES = 1000000; // 1MB.
private static final String DEFAULT_USER_AGENT = "Android";
private final String[] mXtraServers;
@@ -121,7 +125,19 @@ public class GpsXtraDownloader {
return null;
}
- return Streams.readFully(connection.getInputStream());
+ try (InputStream in = connection.getInputStream()) {
+ ByteArrayOutputStream bytes = new ByteArrayOutputStream();
+ byte[] buffer = new byte[1024];
+ int count;
+ while ((count = in.read(buffer)) != -1) {
+ bytes.write(buffer, 0, count);
+ if (bytes.size() > MAXIMUM_CONTENT_LENGTH_BYTES) {
+ if (DEBUG) Log.d(TAG, "XTRA file too large");
+ return null;
+ }
+ }
+ return bytes.toByteArray();
+ }
} catch (IOException ioe) {
if (DEBUG) Log.d(TAG, "Error downloading gps XTRA: ", ioe);
} finally {
@@ -133,3 +149,4 @@ public class GpsXtraDownloader {
}
}
+