diff options
author | Ningyuan Wang <nywang@google.com> | 2016-10-06 13:29:45 -0700 |
---|---|---|
committer | Jessica Wagantall <jwagantall@cyngn.com> | 2016-12-08 19:14:41 -0800 |
commit | 84e1cda5b2b81ba9b07cb228cd20cda8a93aa492 (patch) | |
tree | e61a7f8483c3d8bffeec9e530a138ce490678715 | |
parent | 86bdc8e5361232ce17a67a260fb58a700900c198 (diff) | |
download | android_frameworks_opt_net_wifi-84e1cda5b2b81ba9b07cb228cd20cda8a93aa492.tar.gz android_frameworks_opt_net_wifi-84e1cda5b2b81ba9b07cb228cd20cda8a93aa492.tar.bz2 android_frameworks_opt_net_wifi-84e1cda5b2b81ba9b07cb228cd20cda8a93aa492.zip |
wifinative jni: check array length to prevent stack overflow
params.ap is an array with length MAX_HOTLIST_APS == 128
We should check that params.num_bssid does not exceed this value,
otherwise this could be a stack overflow security vulnerability.
CTS will be added in another CL.
CYNGNOS-3312
Bug: 31856351
Change-Id: I807f349ceef5c2f5a46eec87515d3550f8288739
Test: compile, unit tests, manual test
Test: SafetyNet log not triggered under non-exploit conditions
Test: POC executable does not crash wifi anymore.
-rw-r--r-- | service/jni/com_android_server_wifi_WifiNative.cpp | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/service/jni/com_android_server_wifi_WifiNative.cpp b/service/jni/com_android_server_wifi_WifiNative.cpp index a6d4f4ee9..dc0aad05f 100644 --- a/service/jni/com_android_server_wifi_WifiNative.cpp +++ b/service/jni/com_android_server_wifi_WifiNative.cpp @@ -892,6 +892,13 @@ static jboolean android_net_wifi_setHotlist( return false; } + if (params.num_ap > + static_cast<int>(sizeof(params.ap) / sizeof(params.ap[0]))) { + ALOGE("setHotlist array length is too long"); + android_errorWriteLog(0x534e4554, "31856351"); + return false; + } + for (int i = 0; i < params.num_bssid; i++) { JNIObject<jobject> objAp = helper.getObjectArrayElement(array, i); |