DO NOT MERGE: wifinative jni: check array length for trackSignificantWifiChange

params.ap is an array with length MAX_SIGNIFICANT_CHANGE_APS == 64
We should check that params.num_ap does not exceed this value,
otherwise this could be a stack overflow security vulnerability.

CTS test is not available because  CTS test doesn't have the
privilege to access system API.

Bug: 37207928
Test: compile
Test: SafetyNet log not triggered under non-exploit conditions

Change-Id: I541bacd5448124864f28ef1671edf065cc0e35ed

1 files changed, 8 insertions, 2 deletions

diff --git a/service/jni/com_android_server_wifi_WifiNative.cpp b/service/jni/com_android_server_wifi_WifiNative.cpp
index e9e85ac9d..4611d9e2f 100644
--- a/service/jni/com_android_server_wifi_WifiNative.cpp
+++ b/service/jni/com_android_server_wifi_WifiNative.cpp
@@ -34,6 +34,7 @@
 namespace android {
 
 static jint DBG = false;
+const int SAFE_NET_LOG_ID = 0x534e4554;
 
 static bool doCommand(JNIEnv* env, jstring javaCommand,
                       char* reply, size_t reply_len) {
@@ -628,7 +629,7 @@ static jboolean android_net_wifi_setHotlist(
     if (params.num_ap >
             static_cast<int>(sizeof(params.ap) / sizeof(params.ap[0]))) {
         ALOGE("setHotlist array length is too long");
-        android_errorWriteLog(0x534e4554, "31856351");
+        android_errorWriteLog(SAFE_NET_LOG_ID, "31856351");
         return false;
     }
 
@@ -749,7 +750,12 @@ static jboolean android_net_wifi_trackSignificantWifiChange(
         ALOGE("Error in accessing array");
         return false;
     }
-
+    if (params.num_ap >
+        static_cast<int>(sizeof(params.ap) / sizeof(params.ap[0]))) {
+        ALOGE("trackSignificantWifiChange array length is too long");
+        android_errorWriteLog(SAFE_NET_LOG_ID, "37775935");
+        return false;
+    }
     ALOGD("Initialized common fields %d, %d, %d, %d", params.rssi_sample_size,
             params.lost_ap_sample_size, params.min_breaching, params.num_ap);