summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNingyuan Wang <nywang@google.com>2016-10-06 20:29:45 (GMT)
committerJessica Wagantall <jwagantall@cyngn.com>2016-12-12 19:57:02 (GMT)
commitd6b4e6279ed4688220940de63249525df854fa61 (patch)
tree6f61eb19c435eb7ea46a6de4a57012c0412750cc
parente9e7aedfb2b136b1576bd89d365704d5f76b8816 (diff)
downloadandroid_frameworks_opt_net_wifi-d6b4e6279ed4688220940de63249525df854fa61.zip
android_frameworks_opt_net_wifi-d6b4e6279ed4688220940de63249525df854fa61.tar.gz
android_frameworks_opt_net_wifi-d6b4e6279ed4688220940de63249525df854fa61.tar.bz2
wifinative jni: check array length to prevent stack overflow
params.ap is an array with length MAX_HOTLIST_APS == 128 We should check that params.num_bssid does not exceed this value, otherwise this could be a stack overflow security vulnerability. CTS will be added in another CL. CYNGNOS-3312 Bug: 31856351 Change-Id: I807f349ceef5c2f5a46eec87515d3550f8288739 Test: compile, unit tests, manual test Test: SafetyNet log not triggered under non-exploit conditions Test: POC executable does not crash wifi anymore. (cherry picked from commit d8748b8faf9c002b59e059d52d49fcc5b7ca5887)
-rw-r--r--service/jni/com_android_server_wifi_WifiNative.cpp7
1 files changed, 7 insertions, 0 deletions
diff --git a/service/jni/com_android_server_wifi_WifiNative.cpp b/service/jni/com_android_server_wifi_WifiNative.cpp
index 2f6c363..1ed21b8 100644
--- a/service/jni/com_android_server_wifi_WifiNative.cpp
+++ b/service/jni/com_android_server_wifi_WifiNative.cpp
@@ -892,6 +892,13 @@ static jboolean android_net_wifi_setHotlist(
return false;
}
+ if (params.num_ap >
+ static_cast<int>(sizeof(params.ap) / sizeof(params.ap[0]))) {
+ ALOGE("setHotlist array length is too long");
+ android_errorWriteLog(0x534e4554, "31856351");
+ return false;
+ }
+
for (int i = 0; i < params.num_bssid; i++) {
JNIObject<jobject> objAp = helper.getObjectArrayElement(array, i);