[Bugfix][T106BUG-607]add the judgment on whether pdp_type, auth_proto, apn_name, password are out of bounds
Only Configure: No
Affected branch: master
Affected module: data
Is it affected on both ZXIC and MTK: only ZXIC
Self-test: Yes
Doc Update: No
Change-Id: I5e8529253cf2ab3cc40053019c5a80dfb7610318
diff --git a/cap/zx297520v3/src/lynq/lib/liblynq-qser-data/lynq-qser-data.cpp b/cap/zx297520v3/src/lynq/lib/liblynq-qser-data/lynq-qser-data.cpp
index f3ebce3..010ed7c 100755
--- a/cap/zx297520v3/src/lynq/lib/liblynq-qser-data/lynq-qser-data.cpp
+++ b/cap/zx297520v3/src/lynq/lib/liblynq-qser-data/lynq-qser-data.cpp
@@ -1054,22 +1054,22 @@
switch (auth_proto)
{
case QSER_APN_AUTH_PROTO_DEFAULT:
- strcpy(out_proto,"NULL;authType=0");
+ strcpy(out_proto,"0");
break;
case QSER_APN_AUTH_PROTO_NONE:
- strcpy(out_proto,"NULL;authType=1");
+ strcpy(out_proto,"0");
break;
case QSER_APN_AUTH_PROTO_PAP:
- strcpy(out_proto,"NULL;authType=2");
+ strcpy(out_proto,"1");
break;
case QSER_APN_AUTH_PROTO_CHAP:
- strcpy(out_proto,"NULL;authtype=3");
+ strcpy(out_proto,"2");
break;
case QSER_APN_AUTH_PROTO_PAP_CHAP:
- strcpy(out_proto,"NULL;authtype=4");
+ strcpy(out_proto,"3");
break;
default:
- strcpy(out_proto,"NULL;authType=NULL");
+ strcpy(out_proto,"NULL");
break;
}
return ;
@@ -1332,6 +1332,7 @@
else
{
char pdptype[16];
+ char auth_proto[16];
qser_apn_info_s apn_info;
LYINFLOG("datacall->profile_idx is %d\n", data_call->profile_idx);
ret = qser_apn_get((unsigned char)data_call->profile_idx,&apn_info);
@@ -1342,7 +1343,8 @@
return ret;
}
judge_pdp_type(apn_info.pdp_type,pdptype);
- ret = lynq_setup_data_call_sp(&handle,apn_info.apn_name,apn_info.apn_type,apn_info.username,apn_info.password,NULL,pdptype,pdptype);
+ judge_authtype(apn_info.auth_proto,auth_proto);
+ ret = lynq_setup_data_call_sp(&handle,apn_info.apn_name,apn_info.apn_type,apn_info.username,apn_info.password,auth_proto,pdptype,pdptype);
}
if (ret != 0)
{
@@ -1388,6 +1390,7 @@
else
{
char pdptype[16];
+ char auth_proto[16];
qser_apn_info_s apn_info;
LYINFLOG("datacall->profile_idx is %d\n", data_call->profile_idx);
ret = qser_apn_get((unsigned char)data_call->profile_idx,&apn_info);
@@ -1398,7 +1401,8 @@
return ret;
}
judge_pdp_type(apn_info.pdp_type,pdptype);
- ret = lynq_setup_data_call_sp_t106_async(&handle,apn_info.apn_name,apn_info.apn_type,apn_info.username,apn_info.password,NULL,pdptype,pdptype);
+ judge_authtype(apn_info.auth_proto,auth_proto);
+ ret = lynq_setup_data_call_sp_t106_async(&handle,apn_info.apn_name,apn_info.apn_type,apn_info.username,apn_info.password,auth_proto,pdptype,pdptype);
}
if (ret != 0)
{
@@ -1506,6 +1510,33 @@
}
return ret;
}
+int check_pdp_type(qser_apn_pdp_type_e pdp_type)
+{
+ switch (pdp_type)
+ {
+ case QSER_APN_PDP_TYPE_IPV4:
+ case QSER_APN_PDP_TYPE_PPP:
+ case QSER_APN_PDP_TYPE_IPV6:
+ case QSER_APN_PDP_TYPE_IPV4V6:
+ return 0;
+ default:
+ return -1;
+ }
+}
+int check_auth_proto(qser_apn_auth_proto_e auth_proto)
+{
+ switch (auth_proto)
+ {
+ case QSER_APN_AUTH_PROTO_DEFAULT:
+ case QSER_APN_AUTH_PROTO_NONE:
+ case QSER_APN_AUTH_PROTO_PAP:
+ case QSER_APN_AUTH_PROTO_CHAP:
+ case QSER_APN_AUTH_PROTO_PAP_CHAP:
+ return 0;
+ default:
+ return -1;
+ }
+}
int qser_apn_set(qser_apn_info_s *apn)
{
int ret = 0;
@@ -1529,6 +1560,38 @@
LYERRLOG("It has setup datacall");
return RESULT_ERROR;
}
+
+ if(strlen(apn->apn_name) > QSER_APN_NAME_SIZE)
+ {
+ LYERRLOG("apn_name out of range\n");
+ return RESULT_ERROR;
+ }
+ if(strlen(apn->username) > QSER_APN_USERNAME_SIZE)
+ {
+ LYERRLOG("username out of range\n");
+ return RESULT_ERROR;
+ }
+ if(strlen(apn->password) > QSER_APN_PASSWORD_SIZE)
+ {
+ LYERRLOG("password out of range\n");
+ return RESULT_ERROR;
+ }
+ if(strlen(apn->apn_type) > QSER_APN_NAME_SIZE)
+ {
+ LYERRLOG("apn_type out of range\n");
+ return RESULT_ERROR;
+ }
+ if(check_pdp_type(apn->pdp_type) != 0)
+ {
+ LYERRLOG("pdp_type out of range\n");
+ return RESULT_ERROR;
+ }
+ if(check_auth_proto(apn->auth_proto) != 0)
+ {
+ LYERRLOG("auth_proto out of range\n");
+ return RESULT_ERROR;
+ }
+
ret = apn_db_modify(apn);
if (ret < 0)
{
@@ -1590,6 +1653,37 @@
LYERRLOG("apn add incoming paramters error");
return RESULT_ERROR;
}
+
+ if(strlen(apn->apn_name) > QSER_APN_NAME_SIZE)
+ {
+ LYERRLOG("apn_name out of range\n");
+ return RESULT_ERROR;
+ }
+ if(strlen(apn->username) > QSER_APN_USERNAME_SIZE)
+ {
+ LYERRLOG("username out of range\n");
+ return RESULT_ERROR;
+ }
+ if(strlen(apn->password) > QSER_APN_PASSWORD_SIZE)
+ {
+ LYERRLOG("password out of range\n");
+ return RESULT_ERROR;
+ }
+ if(strlen(apn->apn_type) > QSER_APN_NAME_SIZE)
+ {
+ LYERRLOG("apn_type out of range\n");
+ return RESULT_ERROR;
+ }
+ if(check_pdp_type(apn->pdp_type) != 0)
+ {
+ LYERRLOG("pdp_type out of range\n");
+ return RESULT_ERROR;
+ }
+ if(check_auth_proto(apn->auth_proto) != 0)
+ {
+ LYERRLOG("auth_proto out of range\n");
+ return RESULT_ERROR;
+ }
*profile_idx = 0;
*profile_idx = (unsigned char)find_unuse_apn_index(APN_DB_PATH);