diff options
| author | Legrand Benjamin <android@legrand.ws> | 2015-11-26 22:07:08 +0100 |
|---|---|---|
| committer | Alberto97 <albertop2197@gmail.com> | 2016-03-17 12:32:10 +0100 |
| commit | 8afb31bb0e93107642b96d4380fedcf832688e95 (patch) | |
| tree | 3931bce72c134cf93e364caea9dfd916957ccab0 | |
| parent | 81f882faf55fdc6411077bc42a850b563d61c9fd (diff) | |
| download | android_frameworks_opt_net_wifi-8afb31bb0e93107642b96d4380fedcf832688e95.tar.gz android_frameworks_opt_net_wifi-8afb31bb0e93107642b96d4380fedcf832688e95.tar.bz2 android_frameworks_opt_net_wifi-8afb31bb0e93107642b96d4380fedcf832688e95.zip | |
WifiScanningService: Fix invalid offset error
The code currently assumes that mSettings.buckets is at least as
large as mTimeBuckets. The length of mSettings.buckets is determined
at runtime by querying the kernel via the WiFi HAL. In the event
that the query fails, the mSettings.buckets array will have a zero
size. The code will then try to access a nonexistent element in the
zero length array, leading to an array bounds error that brings down
the whole Android runtime.
This check protects against the crash that would occur when the
mSettings.buckets array is undersized.
Change-Id: Ic3fffd82c745922bd6378062ee188841880895a2
| -rw-r--r-- | service/java/com/android/server/wifi/WifiScanningServiceImpl.java | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/service/java/com/android/server/wifi/WifiScanningServiceImpl.java b/service/java/com/android/server/wifi/WifiScanningServiceImpl.java index a0f506113..9038b4eec 100644 --- a/service/java/com/android/server/wifi/WifiScanningServiceImpl.java +++ b/service/java/com/android/server/wifi/WifiScanningServiceImpl.java @@ -1004,7 +1004,7 @@ public class WifiScanningServiceImpl extends IWifiScanner.Stub { } int bestBucketIndex = -1; // best by period - for (int i = 0; i < mTimeBuckets.length; i++) { + for (int i = 0; i < mTimeBuckets.length && i < mSettings.buckets.length; i++) { TimeBucket bucket = mTimeBuckets[i]; if (bucket.periodMinInSecond * 1000 <= settings.periodInMs && settings.periodInMs < bucket.periodMaxInSecond * 1000) { |