diff options
author | Ningyuan Wang <nywang@google.com> | 2016-10-06 13:29:45 -0700 |
---|---|---|
committer | Jessica Wagantall <jwagantall@cyngn.com> | 2016-12-12 11:57:02 -0800 |
commit | d6b4e6279ed4688220940de63249525df854fa61 (patch) | |
tree | 6f61eb19c435eb7ea46a6de4a57012c0412750cc /service/jni | |
parent | e9e7aedfb2b136b1576bd89d365704d5f76b8816 (diff) | |
download | frameworks_opt_net_wifi-d6b4e6279ed4688220940de63249525df854fa61.tar.gz frameworks_opt_net_wifi-d6b4e6279ed4688220940de63249525df854fa61.tar.bz2 frameworks_opt_net_wifi-d6b4e6279ed4688220940de63249525df854fa61.zip |
wifinative jni: check array length to prevent stack overflow
params.ap is an array with length MAX_HOTLIST_APS == 128
We should check that params.num_bssid does not exceed this value,
otherwise this could be a stack overflow security vulnerability.
CTS will be added in another CL.
CYNGNOS-3312
Bug: 31856351
Change-Id: I807f349ceef5c2f5a46eec87515d3550f8288739
Test: compile, unit tests, manual test
Test: SafetyNet log not triggered under non-exploit conditions
Test: POC executable does not crash wifi anymore.
(cherry picked from commit d8748b8faf9c002b59e059d52d49fcc5b7ca5887)
Diffstat (limited to 'service/jni')
-rw-r--r-- | service/jni/com_android_server_wifi_WifiNative.cpp | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/service/jni/com_android_server_wifi_WifiNative.cpp b/service/jni/com_android_server_wifi_WifiNative.cpp index 2f6c363..1ed21b8 100644 --- a/service/jni/com_android_server_wifi_WifiNative.cpp +++ b/service/jni/com_android_server_wifi_WifiNative.cpp @@ -892,6 +892,13 @@ static jboolean android_net_wifi_setHotlist( return false; } + if (params.num_ap > + static_cast<int>(sizeof(params.ap) / sizeof(params.ap[0]))) { + ALOGE("setHotlist array length is too long"); + android_errorWriteLog(0x534e4554, "31856351"); + return false; + } + for (int i = 0; i < params.num_bssid; i++) { JNIObject<jobject> objAp = helper.getObjectArrayElement(array, i); |