From 929ca5e49760c3d5af8c7455cd38e29336b5e262 Mon Sep 17 00:00:00 2001 From: Jake Hamby Date: Tue, 11 Oct 2011 19:00:29 -0700 Subject: Fix bug in CDMA WDP datagram handling (fixes incoming MMS). CDMA WDP datagram handling was refactored to use the same method that handles concatenated SMS messages. WDP datagram sequence numbers start at 0, but GSM/CDMA concatenated sequence numbers start at 1. Changed SMSDispatcher.processMessagePart() to count from 0 when handling WDP datagrams. Also changed CdmaSMSDispatcher.processCdmaWapPdu() to correctly decode segment numbers > 127 (signed byte conversion bug) and to reject PDUs with an out-of-range segment number (invalid ranges are already rejected for regular concatenated messages). Bug: 5433331 Change-Id: I25c9567769de8edca789c0d1707d4916a4c46885 --- .../java/com/android/internal/telephony/SMSDispatcher.java | 14 ++++++++++++-- .../android/internal/telephony/cdma/CdmaSMSDispatcher.java | 11 ++++++++--- 2 files changed, 20 insertions(+), 5 deletions(-) diff --git a/telephony/java/com/android/internal/telephony/SMSDispatcher.java b/telephony/java/com/android/internal/telephony/SMSDispatcher.java index e4c60284dc4f..a42a267a1fda 100644 --- a/telephony/java/com/android/internal/telephony/SMSDispatcher.java +++ b/telephony/java/com/android/internal/telephony/SMSDispatcher.java @@ -518,6 +518,7 @@ public abstract class SMSDispatcher extends Handler { * @param address the originating address * @param referenceNumber distinguishes concatenated messages from the same sender * @param sequenceNumber the order of this segment in the message + * (starting at 0 for CDMA WDP datagrams and 1 for concatenated messages). * @param messageCount the number of segments in the message * @param timestamp the service center timestamp in millis * @param destPort the destination port for the message, or -1 for no destination port @@ -583,7 +584,11 @@ public abstract class SMSDispatcher extends Handler { for (int i = 0; i < cursorCount; i++) { cursor.moveToNext(); int cursorSequence = cursor.getInt(SEQUENCE_COLUMN); - pdus[cursorSequence - 1] = HexDump.hexStringToByteArray( + // GSM sequence numbers start at 1; CDMA WDP datagram sequence numbers start at 0 + if (!isCdmaWapPush) { + cursorSequence--; + } + pdus[cursorSequence] = HexDump.hexStringToByteArray( cursor.getString(PDU_COLUMN)); // Read the destination port from the first segment (needed for CDMA WAP PDU). @@ -593,7 +598,12 @@ public abstract class SMSDispatcher extends Handler { } } // This one isn't in the DB, so add it - pdus[sequenceNumber - 1] = pdu; + // GSM sequence numbers start at 1; CDMA WDP datagram sequence numbers start at 0 + if (isCdmaWapPush) { + pdus[sequenceNumber] = pdu; + } else { + pdus[sequenceNumber - 1] = pdu; + } // Remove the parts from the database mResolver.delete(mRawUri, where, whereArgs); diff --git a/telephony/java/com/android/internal/telephony/cdma/CdmaSMSDispatcher.java b/telephony/java/com/android/internal/telephony/cdma/CdmaSMSDispatcher.java index fe41e7e61b0c..ca8d9ae11617 100755 --- a/telephony/java/com/android/internal/telephony/cdma/CdmaSMSDispatcher.java +++ b/telephony/java/com/android/internal/telephony/cdma/CdmaSMSDispatcher.java @@ -198,13 +198,18 @@ final class CdmaSMSDispatcher extends SMSDispatcher { protected int processCdmaWapPdu(byte[] pdu, int referenceNumber, String address) { int index = 0; - int msgType = pdu[index++]; + int msgType = (0xFF & pdu[index++]); if (msgType != 0) { Log.w(TAG, "Received a WAP SMS which is not WDP. Discard."); return Intents.RESULT_SMS_HANDLED; } - int totalSegments = pdu[index++]; // >= 1 - int segment = pdu[index++]; // >= 0 + int totalSegments = (0xFF & pdu[index++]); // >= 1 + int segment = (0xFF & pdu[index++]); // >= 0 + + if (segment >= totalSegments) { + Log.e(TAG, "WDP bad segment #" + segment + " expecting 0-" + (totalSegments - 1)); + return Intents.RESULT_SMS_HANDLED; + } // Only the first segment contains sourcePort and destination Port int sourcePort = 0; -- cgit v1.2.3-59-g8ed1b