diff options
author | Bo Hu <bohu@google.com> | 2024-05-06 07:45:44 -0700 |
---|---|---|
committer | Bo Hu <bohu@google.com> | 2024-05-06 08:23:57 -0700 |
commit | 123e0a6ca61f74426042f40c683ca72dcbad4602 (patch) | |
tree | 5e509ddee0fb5f233f3983d9052869c4e1057f71 | |
parent | fd45ec1bd368d75d705056f29266469d02d1e4f1 (diff) | |
download | cuttlefish-123e0a6ca61f74426042f40c683ca72dcbad4602.tar.gz |
ril: avoid accessing invalid address
Bug: 338225996
Change-Id: Idc84cd82908e103bb6d55148dee70516a4614532
-rw-r--r-- | guest/hals/ril/reference-ril/reference-ril.c | 19 |
1 files changed, 15 insertions, 4 deletions
diff --git a/guest/hals/ril/reference-ril/reference-ril.c b/guest/hals/ril/reference-ril/reference-ril.c index b7915e109..c946db0f4 100644 --- a/guest/hals/ril/reference-ril/reference-ril.c +++ b/guest/hals/ril/reference-ril/reference-ril.c @@ -918,6 +918,10 @@ static void requestOrSendDataCallList(int cid, RIL_Token *t) continue; i = ncid - 1; + + if (i >= n || i < 0) + goto error; + // Assume no error responses[i].status = 0; @@ -1054,14 +1058,21 @@ static void requestOrSendDataCallList(int cid, RIL_Token *t) &input, (responses) ? &responses[i].dnses : &sskip); // dns_prim_addr if (err < 0) goto error; + size_t response_size = 0; + RIL_Data_Call_Response_v11 *presponse = NULL; + if (responses) { + if (i >= n || i < 0) + goto error; + presponse = &responses[i]; + response_size = sizeof(*presponse); + } + if (t != NULL) RIL_onRequestComplete(*t, RIL_E_SUCCESS, - (responses != NULL) ? (responses + i) : responses, - sizeof(RIL_Data_Call_Response_v11)); + presponse, response_size); else RIL_onUnsolicitedResponse(RIL_UNSOL_DATA_CALL_LIST_CHANGED, - responses, - n * sizeof(RIL_Data_Call_Response_v11)); + responses, n * response_size); at_response_free(p_response); return; |