From 93f7ca9a0cf24e3dad05870332b4aaa191fc6efd Mon Sep 17 00:00:00 2001 From: qiuxy0401 Date: Mon, 29 May 2023 16:37:45 +0800 Subject: [PATCH] =?UTF-8?q?IssueNo:=20ims=20rawbuffer=E5=8F=8D=E5=BA=8F?= =?UTF-8?q?=E5=88=97=E5=8C=96=E6=BC=8F=E6=B4=9E=E6=95=B4=E6=94=B9?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Description: ims rawbuffer反序列化漏洞整改 Sig: Sol_Enhanced_Telephony Feature or Bugfix: Bugfix Binary Source: No Change-Id: I148b8fe1b5662f00066de64f283326fd257c33cf --- .../services/ims_call/src/ims_call_stub.cpp | 19 ++++++++++++++----- .../ims/services/ims_sms/src/ims_sms_stub.cpp | 13 ++++++------- 2 files changed, 20 insertions(+), 12 deletions(-) diff --git a/vendor/ims/services/ims_call/src/ims_call_stub.cpp b/vendor/ims/services/ims_call/src/ims_call_stub.cpp index 12acd4e..92751fa 100644 --- a/vendor/ims/services/ims_call/src/ims_call_stub.cpp +++ b/vendor/ims/services/ims_call/src/ims_call_stub.cpp @@ -19,6 +19,7 @@ namespace OHOS { namespace Telephony { +const int32_t IMS_CAPABILITIES_MAX_SIZE = 10; ImsCallStub::ImsCallStub() { InitFuncMap(); @@ -600,12 +601,20 @@ int32_t ImsCallStub::OnRegisterImsCallCallback(MessageParcel &data, MessageParce int32_t ImsCallStub::OnUpdateImsCapabilities(MessageParcel &data, MessageParcel &reply) { int32_t slotId = data.ReadInt32(); - auto info = (ImsCapabilityList *)data.ReadRawData(sizeof(ImsCapabilityList)); - if (info == nullptr) { - TELEPHONY_LOGE("data error"); - return TELEPHONY_ERR_LOCAL_PTR_NULL; + int32_t dataSize = data.ReadInt32(); + if (dataSize < 0 || dataSize > IMS_CAPABILITIES_MAX_SIZE) { + TELEPHONY_LOGE("OnUpdateImsCapabilities size error"); + return TELEPHONY_ERR_FAIL; + } + ImsCapability imsCapability; + ImsCapabilityList imsCapabilityList; + for (int i = 0; i < dataSize; i++) { + imsCapability.imsCapabilityType = static_cast(data.ReadInt32()); + imsCapability.imsRadioTech = static_cast(data.ReadInt32()); + imsCapability.enable = data.ReadBool(); + imsCapabilityList.imsCapabilities.push_back(imsCapability); } - reply.WriteInt32(UpdateImsCapabilities(slotId, *info)); + reply.WriteInt32(UpdateImsCapabilities(slotId, imsCapabilityList)); return TELEPHONY_SUCCESS; } } // namespace Telephony diff --git a/vendor/ims/services/ims_sms/src/ims_sms_stub.cpp b/vendor/ims/services/ims_sms/src/ims_sms_stub.cpp index a31b6e9..404d89e 100644 --- a/vendor/ims/services/ims_sms/src/ims_sms_stub.cpp +++ b/vendor/ims/services/ims_sms/src/ims_sms_stub.cpp @@ -57,13 +57,12 @@ int32_t ImsSmsStub::OnRemoteRequest(uint32_t code, MessageParcel &data, MessageP int32_t ImsSmsStub::OnImsSendMessage(MessageParcel &data, MessageParcel &reply) { int32_t slotId = data.ReadInt32(); - ImsMessageInfo *messageInfo = (ImsMessageInfo *)data.ReadRawData(sizeof(ImsMessageInfo)); - if (messageInfo == nullptr) { - TELEPHONY_LOGE("ImsMessageInfo nullptr"); - reply.WriteInt32(TELEPHONY_ERR_LOCAL_PTR_NULL); - return TELEPHONY_ERR_LOCAL_PTR_NULL; - } - reply.WriteInt32(ImsSendMessage(slotId, *messageInfo)); + ImsMessageInfo messageInfo; + messageInfo.refId = data.ReadInt64(); + messageInfo.smscPdu = data.ReadString(); + messageInfo.pdu = data.ReadString(); + messageInfo.tech = static_cast(data.ReadInt32()); + reply.WriteInt32(ImsSendMessage(slotId, messageInfo)); return TELEPHONY_SUCCESS; } -- Gitee