aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBo Hu <bohu@google.com>2024-05-06 07:45:44 -0700
committerBo Hu <bohu@google.com>2024-05-06 08:23:57 -0700
commit123e0a6ca61f74426042f40c683ca72dcbad4602 (patch)
tree5e509ddee0fb5f233f3983d9052869c4e1057f71
parentfd45ec1bd368d75d705056f29266469d02d1e4f1 (diff)
downloadcuttlefish-123e0a6ca61f74426042f40c683ca72dcbad4602.tar.gz
ril: avoid accessing invalid address
Bug: 338225996 Change-Id: Idc84cd82908e103bb6d55148dee70516a4614532
Diffstat
-rw-r--r--guest/hals/ril/reference-ril/reference-ril.c19
1 files changed, 15 insertions, 4 deletions
diff --git a/guest/hals/ril/reference-ril/reference-ril.c b/guest/hals/ril/reference-ril/reference-ril.c
index b7915e109..c946db0f4 100644
--- a/guest/hals/ril/reference-ril/reference-ril.c
+++ b/guest/hals/ril/reference-ril/reference-ril.c
@@ -918,6 +918,10 @@ static void requestOrSendDataCallList(int cid, RIL_Token *t)
continue;
i = ncid - 1;
+
+ if (i >= n || i < 0)
+ goto error;
+
// Assume no error
responses[i].status = 0;
@@ -1054,14 +1058,21 @@ static void requestOrSendDataCallList(int cid, RIL_Token *t)
&input, (responses) ? &responses[i].dnses : &sskip); // dns_prim_addr
if (err < 0) goto error;
+ size_t response_size = 0;
+ RIL_Data_Call_Response_v11 *presponse = NULL;
+ if (responses) {
+ if (i >= n || i < 0)
+ goto error;
+ presponse = &responses[i];
+ response_size = sizeof(*presponse);
+ }
+
if (t != NULL)
RIL_onRequestComplete(*t, RIL_E_SUCCESS,
- (responses != NULL) ? (responses + i) : responses,
- sizeof(RIL_Data_Call_Response_v11));
+ presponse, response_size);
else
RIL_onUnsolicitedResponse(RIL_UNSOL_DATA_CALL_LIST_CHANGED,
- responses,
- n * sizeof(RIL_Data_Call_Response_v11));
+ responses, n * response_size);
at_response_free(p_response);
return;
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-11 15:26:31 +0000