diff options
| author | David Christie <dnchrist@google.com> | 2016-08-23 16:19:51 -0700 |
|---|---|---|
| committer | gitbuildkicker <android-build@google.com> | 2016-08-26 16:21:55 -0700 |
| commit | 2dde02ed263192cc71f7f11f120b4bf03432f508 (patch) | |
| tree | a6be1b4e803e2f827b0957ecf644738582a02ae6 /services/core | |
| parent | 3d2b855e53776b4406e1fb01f6198be89c9f8114 (diff) | |
| download | frameworks_base-2dde02ed263192cc71f7f11f120b4bf03432f508.zip frameworks_base-2dde02ed263192cc71f7f11f120b4bf03432f508.tar.gz frameworks_base-2dde02ed263192cc71f7f11f120b4bf03432f508.tar.bz2 | |
DO NOT MERGE: Fix vulnerability where large GPS XTRA data can be
injected.
-Can potentially crash system with OOM.
Bug: 29555864
Change-Id: I7157f48dddf148a9bcab029cf12e26a58d8054f4
(cherry picked from commit 5439aabb165b5a760d1e580016bf1d6fd963cb65)
Diffstat (limited to 'services/core')
| -rw-r--r-- | services/core/java/com/android/server/location/GpsXtraDownloader.java | 21 |
1 files changed, 19 insertions, 2 deletions
diff --git a/services/core/java/com/android/server/location/GpsXtraDownloader.java b/services/core/java/com/android/server/location/GpsXtraDownloader.java index 3585049..6310361 100644 --- a/services/core/java/com/android/server/location/GpsXtraDownloader.java +++ b/services/core/java/com/android/server/location/GpsXtraDownloader.java @@ -21,8 +21,11 @@ import android.util.Log; import java.net.HttpURLConnection; import java.net.URL; -import libcore.io.Streams; +import libcore.io.IoUtils; + +import java.io.ByteArrayOutputStream; +import java.io.InputStream; import java.io.IOException; import java.util.Properties; import java.util.Random; @@ -36,6 +39,7 @@ public class GpsXtraDownloader { private static final String TAG = "GpsXtraDownloader"; private static final boolean DEBUG = Log.isLoggable(TAG, Log.DEBUG); + private static final long MAXIMUM_CONTENT_LENGTH_BYTES = 1000000; // 1MB. private static final String DEFAULT_USER_AGENT = "Android"; private final String[] mXtraServers; @@ -121,7 +125,19 @@ public class GpsXtraDownloader { return null; } - return Streams.readFully(connection.getInputStream()); + try (InputStream in = connection.getInputStream()) { + ByteArrayOutputStream bytes = new ByteArrayOutputStream(); + byte[] buffer = new byte[1024]; + int count; + while ((count = in.read(buffer)) != -1) { + bytes.write(buffer, 0, count); + if (bytes.size() > MAXIMUM_CONTENT_LENGTH_BYTES) { + if (DEBUG) Log.d(TAG, "XTRA file too large"); + return null; + } + } + return bytes.toByteArray(); + } } catch (IOException ioe) { if (DEBUG) Log.d(TAG, "Error downloading gps XTRA: ", ioe); } finally { @@ -133,3 +149,4 @@ public class GpsXtraDownloader { } } + |