diff options
author | Ningyuan Wang <nywang@google.com> | 2017-05-15 14:24:41 -0700 |
---|---|---|
committer | Ningyuan Wang <nywang@google.com> | 2017-06-06 19:26:25 -0700 |
commit | 74ba4cc8782b1bb8cff4aec35ff6e36af309c784 (patch) | |
tree | e7f43f421eb4154f22838b22b732a92fe334c6ce | |
parent | 52aefad823857936fb32bc2027027a7d5478feb6 (diff) | |
download | android_frameworks_opt_net_wifi-74ba4cc8782b1bb8cff4aec35ff6e36af309c784.tar.gz android_frameworks_opt_net_wifi-74ba4cc8782b1bb8cff4aec35ff6e36af309c784.tar.bz2 android_frameworks_opt_net_wifi-74ba4cc8782b1bb8cff4aec35ff6e36af309c784.zip |
DO NOT MERGE: wifinative jni: check array length for trackSignificantWifiChange
params.ap is an array with length MAX_SIGNIFICANT_CHANGE_APS == 64
We should check that params.num_ap does not exceed this value,
otherwise this could be a stack overflow security vulnerability.
CTS test is not available because CTS test doesn't have the
privilege to access system API.
Bug: 37207928
Test: compile
Test: SafetyNet log not triggered under non-exploit conditions
Change-Id: I541bacd5448124864f28ef1671edf065cc0e35ed
-rw-r--r-- | service/jni/com_android_server_wifi_WifiNative.cpp | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/service/jni/com_android_server_wifi_WifiNative.cpp b/service/jni/com_android_server_wifi_WifiNative.cpp index e9e85ac9d..4611d9e2f 100644 --- a/service/jni/com_android_server_wifi_WifiNative.cpp +++ b/service/jni/com_android_server_wifi_WifiNative.cpp @@ -34,6 +34,7 @@ namespace android { static jint DBG = false; +const int SAFE_NET_LOG_ID = 0x534e4554; static bool doCommand(JNIEnv* env, jstring javaCommand, char* reply, size_t reply_len) { @@ -628,7 +629,7 @@ static jboolean android_net_wifi_setHotlist( if (params.num_ap > static_cast<int>(sizeof(params.ap) / sizeof(params.ap[0]))) { ALOGE("setHotlist array length is too long"); - android_errorWriteLog(0x534e4554, "31856351"); + android_errorWriteLog(SAFE_NET_LOG_ID, "31856351"); return false; } @@ -749,7 +750,12 @@ static jboolean android_net_wifi_trackSignificantWifiChange( ALOGE("Error in accessing array"); return false; } - + if (params.num_ap > + static_cast<int>(sizeof(params.ap) / sizeof(params.ap[0]))) { + ALOGE("trackSignificantWifiChange array length is too long"); + android_errorWriteLog(SAFE_NET_LOG_ID, "37775935"); + return false; + } ALOGD("Initialized common fields %d, %d, %d, %d", params.rssi_sample_size, params.lost_ap_sample_size, params.min_breaching, params.num_ap); |