Fix bug in CDMA WDP datagram handling (fixes incoming MMS).

Jake Hamby · Jake Hamby · commit 929ca5e49760 · 2011-10-11T19:15:32.000-07:00
CDMA WDP datagram handling was refactored to use the same method
that handles concatenated SMS messages. WDP datagram sequence numbers
start at 0, but GSM/CDMA concatenated sequence numbers start at 1.
Changed SMSDispatcher.processMessagePart() to count from 0 when
handling WDP datagrams.

Also changed CdmaSMSDispatcher.processCdmaWapPdu() to correctly
decode segment numbers &gt; 127 (signed byte conversion bug)
and to reject PDUs with an out-of-range segment number (invalid
ranges are already rejected for regular concatenated messages).

Bug: 5433331
Change-Id: I25c9567769de8edca789c0d1707d4916a4c46885
diff --git a/telephony/java/com/android/internal/telephony/SMSDispatcher.java b/telephony/java/com/android/internal/telephony/SMSDispatcher.java
@@ -518,6 +518,7 @@ protected int dispatchNormalMessage(SmsMessageBase sms) {
      * @param address the originating address
      * @param referenceNumber distinguishes concatenated messages from the same sender
      * @param sequenceNumber the order of this segment in the message
+     *          (starting at 0 for CDMA WDP datagrams and 1 for concatenated messages).
      * @param messageCount the number of segments in the message
      * @param timestamp the service center timestamp in millis
      * @param destPort the destination port for the message, or -1 for no destination port
@@ -583,7 +584,11 @@ protected int processMessagePart(byte[] pdu, String address, int referenceNumber
             for (int i = 0; i < cursorCount; i++) {
                 cursor.moveToNext();
                 int cursorSequence = cursor.getInt(SEQUENCE_COLUMN);
-                pdus[cursorSequence - 1] = HexDump.hexStringToByteArray(
+                // GSM sequence numbers start at 1; CDMA WDP datagram sequence numbers start at 0
+                if (!isCdmaWapPush) {
+                    cursorSequence--;
+                }
+                pdus[cursorSequence] = HexDump.hexStringToByteArray(
                         cursor.getString(PDU_COLUMN));
 
                 // Read the destination port from the first segment (needed for CDMA WAP PDU).
@@ -593,7 +598,12 @@ protected int processMessagePart(byte[] pdu, String address, int referenceNumber
                 }
             }
             // This one isn't in the DB, so add it
-            pdus[sequenceNumber - 1] = pdu;
+            // GSM sequence numbers start at 1; CDMA WDP datagram sequence numbers start at 0
+            if (isCdmaWapPush) {
+                pdus[sequenceNumber] = pdu;
+            } else {
+                pdus[sequenceNumber - 1] = pdu;
+            }
 
             // Remove the parts from the database
             mResolver.delete(mRawUri, where, whereArgs);
diff --git a/telephony/java/com/android/internal/telephony/cdma/CdmaSMSDispatcher.java b/telephony/java/com/android/internal/telephony/cdma/CdmaSMSDispatcher.java
@@ -198,13 +198,18 @@ public int dispatchMessage(SmsMessageBase smsb) {
     protected int processCdmaWapPdu(byte[] pdu, int referenceNumber, String address) {
         int index = 0;
 
-        int msgType = pdu[index++];
+        int msgType = (0xFF & pdu[index++]);
         if (msgType != 0) {
             Log.w(TAG, "Received a WAP SMS which is not WDP. Discard.");
             return Intents.RESULT_SMS_HANDLED;
         }
-        int totalSegments = pdu[index++];   // >= 1
-        int segment = pdu[index++];         // >= 0
+        int totalSegments = (0xFF & pdu[index++]);   // >= 1
+        int segment = (0xFF & pdu[index++]);         // >= 0
+
+        if (segment >= totalSegments) {
+            Log.e(TAG, "WDP bad segment #" + segment + " expecting 0-" + (totalSegments - 1));
+            return Intents.RESULT_SMS_HANDLED;
+        }
 
         // Only the first segment contains sourcePort and destination Port
         int sourcePort = 0;
