summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNingyuan Wang <nywang@google.com>2016-10-06 20:29:45 (GMT)
committerChristopher R. Palmer <crpalmer@gmail.com>2017-02-04 01:30:05 (GMT)
commitbebdc4a3ae5000ac26c16071f26557eb7d8278d8 (patch)
tree87e07332c38b2036f6bf5d2c3281f48bfe6509d5
parent7cbe254c274d115800a051a7ce6d20f2936c7b1e (diff)
downloadandroid_frameworks_opt_net_wifi-bebdc4a3ae5000ac26c16071f26557eb7d8278d8.zip
android_frameworks_opt_net_wifi-bebdc4a3ae5000ac26c16071f26557eb7d8278d8.tar.gz
android_frameworks_opt_net_wifi-bebdc4a3ae5000ac26c16071f26557eb7d8278d8.tar.bz2
wifinative jni: check array length to prevent stack overflow
Fix merge conflict into mnc-mr2-release params.ap is an array with length MAX_HOTLIST_APS == 128 We should check that params.num_bssid does not exceed this value, otherwise this could be a stack overflow security vulnerability. CTS will be added in another CL. Bug: 31856351 Test: compile, unit tests, manual test Test: SafetyNet log not triggered under non-exploit conditions Test: POC executable does not crash wifi anymore. Change-Id: I99665d529985c89d581939126743c34ae885828c
-rw-r--r--service/jni/com_android_server_wifi_WifiNative.cpp11
1 files changed, 9 insertions, 2 deletions
diff --git a/service/jni/com_android_server_wifi_WifiNative.cpp b/service/jni/com_android_server_wifi_WifiNative.cpp
index 3242888..a153773 100644
--- a/service/jni/com_android_server_wifi_WifiNative.cpp
+++ b/service/jni/com_android_server_wifi_WifiNative.cpp
@@ -899,8 +899,15 @@ static jboolean android_net_wifi_setHotlist(
return false;
}
- for (int i = 0; i < params.num_bssid; i++) {
- JNIObject<jobject> objAp = helper.getObjectArrayElement(array, i);
+ if (params.num_ap >
+ static_cast<int>(sizeof(params.ap) / sizeof(params.ap[0]))) {
+ ALOGE("setHotlist array length is too long");
+ android_errorWriteLog(0x534e4554, "31856351");
+ return false;
+ }
+
+ for (int i = 0; i < params.num_ap; i++) {
+ jobject objAp = env->GetObjectArrayElement(array, i);
JNIObject<jstring> macAddrString = helper.getStringField(objAp, "bssid");
if (macAddrString == NULL) {