added SmsMessage ConcatRef parsing validation

addresses bugs: http://b/issue?id=1870607 http://b/issue?id=1688238 and prior perforce commit: http://s9/?change_num=136189
author: Tammo Spalink <tammo@google.com> 2009-05-22 13:08:52 +0800
committer: Tammo Spalink <tammo@google.com> 2009-05-22 13:38:35 +0800
commit: 550885d158f5371cb207228eb1b7fb06aac32ea3 (patch)
tree: df542e5961e2cdd7e32a78676c2eeca04b921fe1 /telephony
parent: 84ce47e64f9aa5600b6b3e205f8c6930a8095c7d (diff)
download: frameworks_base-550885d158f5371cb207228eb1b7fb06aac32ea3.zip
frameworks_base-550885d158f5371cb207228eb1b7fb06aac32ea3.tar.gz
frameworks_base-550885d158f5371cb207228eb1b7fb06aac32ea3.tar.bz2
1 files changed, 12 insertions, 3 deletions
diff --git a/telephony/java/com/android/internal/telephony/SmsHeader.java b/telephony/java/com/android/internal/telephony/SmsHeader.java
index d220648..7872eec 100644
--- a/telephony/java/com/android/internal/telephony/SmsHeader.java
+++ b/telephony/java/com/android/internal/telephony/SmsHeader.java
@@ -111,7 +111,10 @@ public class SmsHeader {
             /**
              * NOTE: as defined in the spec, ConcatRef and PortAddr
              * fields should not reoccur, but if they do the last
-             * occurrence is to be used.
+             * occurrence is to be used.  Also, for ConcatRef
+             * elements, if the count is zero, sequence is zero, or
+             * sequence is larger than count, the entire element is to
+             * be ignored.
              */
             int id = inStream.read();
             int length = inStream.read();
@@ -124,7 +127,10 @@ public class SmsHeader {
                 concatRef.msgCount = inStream.read();
                 concatRef.seqNumber = inStream.read();
                 concatRef.isEightBits = true;
-                smsHeader.concatRef = concatRef;
+                if (concatRef.msgCount != 0 && concatRef.seqNumber != 0 &&
+                        concatRef.seqNumber <= concatRef.msgCount) {
+                    smsHeader.concatRef = concatRef;
+                }
                 break;
             case ELT_ID_CONCATENATED_16_BIT_REFERENCE:
                 concatRef = new ConcatRef();
@@ -132,7 +138,10 @@ public class SmsHeader {
                 concatRef.msgCount = inStream.read();
                 concatRef.seqNumber = inStream.read();
                 concatRef.isEightBits = false;
-                smsHeader.concatRef = concatRef;
+                if (concatRef.msgCount != 0 && concatRef.seqNumber != 0 &&
+                        concatRef.seqNumber <= concatRef.msgCount) {
+                    smsHeader.concatRef = concatRef;
+                }
                 break;
             case ELT_ID_APPLICATION_PORT_ADDRESSING_8_BIT:
                 portAddrs = new PortAddrs();
author	Tammo Spalink <tammo@google.com>	2009-05-22 13:08:52 +0800
committer	Tammo Spalink <tammo@google.com>	2009-05-22 13:38:35 +0800
commit	550885d158f5371cb207228eb1b7fb06aac32ea3 (patch)
tree	df542e5961e2cdd7e32a78676c2eeca04b921fe1 /telephony
parent	84ce47e64f9aa5600b6b3e205f8c6930a8095c7d (diff)
download	frameworks_base-550885d158f5371cb207228eb1b7fb06aac32ea3.zip frameworks_base-550885d158f5371cb207228eb1b7fb06aac32ea3.tar.gz frameworks_base-550885d158f5371cb207228eb1b7fb06aac32ea3.tar.bz2