From a209ff12ba9617c10550678ff93d01fb72a33399 Mon Sep 17 00:00:00 2001 From: Paul Stewart Date: Tue, 31 May 2016 17:31:03 -0700 Subject: Deal correctly with short strings The parseMacAddress function anticipates only properly formed MAC addresses (6 hexadecimal octets separated by ":"). This change properly deals with situations where the string is shorter than expected, making sure that the passed in char* reference in parseHexByte never exceeds the end of the string. BUG: 28164077 TEST: Added a main function: int main(int argc, char **argv) { unsigned char addr[6]; if (argc > 1) { memset(addr, 0, sizeof(addr)); parseMacAddress(argv[1], addr); printf("Result: %02x:%02x:%02x:%02x:%02x:%02x\n", addr[0], addr[1], addr[2], addr[3], addr[4], addr[5]); } } Tested with "", "a" "ab" "ab:c" "abxc". Change-Id: I0db8d0037e48b62333d475296a45b22ab0efe386 --- service/jni/com_android_server_wifi_WifiNative.cpp | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/service/jni/com_android_server_wifi_WifiNative.cpp b/service/jni/com_android_server_wifi_WifiNative.cpp index 31166e3..acc02d6 100644 --- a/service/jni/com_android_server_wifi_WifiNative.cpp +++ b/service/jni/com_android_server_wifi_WifiNative.cpp @@ -697,15 +697,23 @@ static byte parseHexChar(char ch) { } static byte parseHexByte(const char * &str) { + if (str[0] == '\0') { + ALOGE("Passed an empty string"); + return 0; + } byte b = parseHexChar(str[0]); - if (str[1] == ':' || str[1] == '\0') { - str += 2; - return b; + if (str[1] == '\0' || str[1] == ':') { + str ++; } else { b = b << 4 | parseHexChar(str[1]); - str += 3; - return b; + str += 2; + } + + // Skip trailing delimiter if not at the end of the string. + if (str[0] != '\0') { + str++; } + return b; } static void parseMacAddress(const char *str, mac_addr addr) { -- cgit v1.2.3