diff options
author | David Christie <dnchrist@google.com> | 2016-08-23 16:19:51 -0700 |
---|---|---|
committer | gitbuildkicker <android-build@google.com> | 2016-08-26 16:36:21 -0700 |
commit | 11e1dc330dcce537314f8bd64e341ab110a81790 (patch) | |
tree | 713ea825d9384f2cb3a113b0456496315ed1c330 | |
parent | e096475326db3217a2437f34a9547ad152601d07 (diff) | |
download | base-11e1dc330dcce537314f8bd64e341ab110a81790.tar.gz |
DO NOT MERGE: Fix vulnerability where large GPS XTRA data can beandroid-6.0.1_r69
injected.
-Can potentially crash system with OOM.
Bug: 29555864
Change-Id: I7157f48dddf148a9bcab029cf12e26a58d8054f4
(cherry picked from commit 5439aabb165b5a760d1e580016bf1d6fd963cb65)
-rw-r--r-- | services/core/java/com/android/server/location/GpsXtraDownloader.java | 21 |
1 files changed, 19 insertions, 2 deletions
diff --git a/services/core/java/com/android/server/location/GpsXtraDownloader.java b/services/core/java/com/android/server/location/GpsXtraDownloader.java index 3585049fab23..6310361573fc 100644 --- a/services/core/java/com/android/server/location/GpsXtraDownloader.java +++ b/services/core/java/com/android/server/location/GpsXtraDownloader.java @@ -21,8 +21,11 @@ import android.util.Log; import java.net.HttpURLConnection; import java.net.URL; -import libcore.io.Streams; +import libcore.io.IoUtils; + +import java.io.ByteArrayOutputStream; +import java.io.InputStream; import java.io.IOException; import java.util.Properties; import java.util.Random; @@ -36,6 +39,7 @@ public class GpsXtraDownloader { private static final String TAG = "GpsXtraDownloader"; private static final boolean DEBUG = Log.isLoggable(TAG, Log.DEBUG); + private static final long MAXIMUM_CONTENT_LENGTH_BYTES = 1000000; // 1MB. private static final String DEFAULT_USER_AGENT = "Android"; private final String[] mXtraServers; @@ -121,7 +125,19 @@ public class GpsXtraDownloader { return null; } - return Streams.readFully(connection.getInputStream()); + try (InputStream in = connection.getInputStream()) { + ByteArrayOutputStream bytes = new ByteArrayOutputStream(); + byte[] buffer = new byte[1024]; + int count; + while ((count = in.read(buffer)) != -1) { + bytes.write(buffer, 0, count); + if (bytes.size() > MAXIMUM_CONTENT_LENGTH_BYTES) { + if (DEBUG) Log.d(TAG, "XTRA file too large"); + return null; + } + } + return bytes.toByteArray(); + } } catch (IOException ioe) { if (DEBUG) Log.d(TAG, "Error downloading gps XTRA: ", ioe); } finally { @@ -133,3 +149,4 @@ public class GpsXtraDownloader { } } + |