summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEtan Cohen <etancohen@google.com>2019-11-25 11:41:58 -0800
committerBryan Ferris <bferris@google.com>2019-12-18 15:08:00 -0800
commit5039b6099ea82f158f1318fd2be3a141dd0bd54e (patch)
tree308a84e35022e30b0391d1c3c0a7de34d4927bda
parentdf3648e4ff8dbadde70f8196c9d6fb3ad1611ba9 (diff)
downloadplatform_hardware_interfaces-5039b6099ea82f158f1318fd2be3a141dd0bd54e.tar.gz
platform_hardware_interfaces-5039b6099ea82f158f1318fd2be3a141dd0bd54e.tar.bz2
platform_hardware_interfaces-5039b6099ea82f158f1318fd2be3a141dd0bd54e.zip
[AWARE] Protect string copy against buffer overflow
Fixes: 143789898 Test: (Unit) atest com.android.server.wifi Test: ACTS ThroughputTest:test_iperf_single_ndp_aware_only_ib Test: (VTS) atest VtsHalWifiApV1_4TargetTest Change-Id: I5b8aa1d9a6388fe20cb7e1cd6a76d5e59e14d099
-rw-r--r--wifi/1.3/default/hidl_struct_util.cpp16
1 files changed, 14 insertions, 2 deletions
diff --git a/wifi/1.3/default/hidl_struct_util.cpp b/wifi/1.3/default/hidl_struct_util.cpp
index 2e4db70480..d305c09979 100644
--- a/wifi/1.3/default/hidl_struct_util.cpp
+++ b/wifi/1.3/default/hidl_struct_util.cpp
@@ -1819,7 +1819,13 @@ bool convertHidlNanDataPathInitiatorRequestToLegacy(
convertHidlNanDataPathChannelCfgToLegacy(
hidl_request.channelRequestType);
legacy_request->channel = hidl_request.channel;
- strcpy(legacy_request->ndp_iface, hidl_request.ifaceName.c_str());
+ if (strnlen(hidl_request.ifaceName.c_str(), IFNAMSIZ + 1) == IFNAMSIZ + 1) {
+ LOG(ERROR) << "convertHidlNanDataPathInitiatorRequestToLegacy: "
+ "ifaceName too long";
+ return false;
+ }
+ strncpy(legacy_request->ndp_iface, hidl_request.ifaceName.c_str(),
+ IFNAMSIZ + 1);
legacy_request->ndp_cfg.security_cfg =
(hidl_request.securityConfig.securityType !=
NanDataPathSecurityType::OPEN)
@@ -1900,7 +1906,13 @@ bool convertHidlNanDataPathIndicationResponseToLegacy(
? legacy_hal::NAN_DP_REQUEST_ACCEPT
: legacy_hal::NAN_DP_REQUEST_REJECT;
legacy_request->ndp_instance_id = hidl_request.ndpInstanceId;
- strcpy(legacy_request->ndp_iface, hidl_request.ifaceName.c_str());
+ if (strnlen(hidl_request.ifaceName.c_str(), IFNAMSIZ + 1) == IFNAMSIZ + 1) {
+ LOG(ERROR) << "convertHidlNanDataPathIndicationResponseToLegacy: "
+ "ifaceName too long";
+ return false;
+ }
+ strncpy(legacy_request->ndp_iface, hidl_request.ifaceName.c_str(),
+ IFNAMSIZ + 1);
legacy_request->ndp_cfg.security_cfg =
(hidl_request.securityConfig.securityType !=
NanDataPathSecurityType::OPEN)