diff options
author | David Christie <dnchrist@google.com> | 2016-08-23 16:19:51 -0700 |
---|---|---|
committer | gitbuildkicker <android-build@google.com> | 2016-08-26 10:40:55 -0700 |
commit | 218b813d5bc2d7d3952ea1861c38b4aa944ac59b (patch) | |
tree | 3e70e95f5bab3a79e522d5ae00b7871805221760 | |
parent | f5334952131afa835dd3f08601fb3bced7b781cd (diff) | |
download | base-android-7.0.0_r7.tar.gz |
DO NOT MERGE: Fix vulnerability where large GPS XTRA data can beandroid-cts-7.0_r3android-7.0.0_r9android-7.0.0_r8android-7.0.0_r7android-7.0.0_r11android-7.0.0_r10
injected.
-Can potentially crash system with OOM.
Bug: 29555864
Change-Id: I7157f48dddf148a9bcab029cf12e26a58d8054f4
(cherry picked from commit 79375723f0f201a6759ddbfda57d491ff3fea64e)
-rw-r--r-- | services/core/java/com/android/server/location/GpsXtraDownloader.java | 22 |
1 files changed, 21 insertions, 1 deletions
diff --git a/services/core/java/com/android/server/location/GpsXtraDownloader.java b/services/core/java/com/android/server/location/GpsXtraDownloader.java index c464371bf16a..874857ac3883 100644 --- a/services/core/java/com/android/server/location/GpsXtraDownloader.java +++ b/services/core/java/com/android/server/location/GpsXtraDownloader.java @@ -22,6 +22,12 @@ import android.util.Log; import java.io.IOException; import java.net.HttpURLConnection; import java.net.URL; + +import libcore.io.IoUtils; + +import java.io.ByteArrayOutputStream; +import java.io.InputStream; +import java.io.IOException; import java.util.Properties; import java.util.Random; import java.util.concurrent.TimeUnit; @@ -37,6 +43,7 @@ public class GpsXtraDownloader { private static final String TAG = "GpsXtraDownloader"; private static final boolean DEBUG = Log.isLoggable(TAG, Log.DEBUG); + private static final long MAXIMUM_CONTENT_LENGTH_BYTES = 1000000; // 1MB. private static final String DEFAULT_USER_AGENT = "Android"; private static final int CONNECTION_TIMEOUT_MS = (int) TimeUnit.SECONDS.toMillis(30); @@ -124,7 +131,19 @@ public class GpsXtraDownloader { return null; } - return Streams.readFully(connection.getInputStream()); + try (InputStream in = connection.getInputStream()) { + ByteArrayOutputStream bytes = new ByteArrayOutputStream(); + byte[] buffer = new byte[1024]; + int count; + while ((count = in.read(buffer)) != -1) { + bytes.write(buffer, 0, count); + if (bytes.size() > MAXIMUM_CONTENT_LENGTH_BYTES) { + if (DEBUG) Log.d(TAG, "XTRA file too large"); + return null; + } + } + return bytes.toByteArray(); + } } catch (IOException ioe) { if (DEBUG) Log.d(TAG, "Error downloading gps XTRA: ", ioe); } finally { @@ -136,3 +155,4 @@ public class GpsXtraDownloader { } } + |