diff options
| author | Ningyuan Wang <nywang@google.com> | 2016-10-06 13:29:45 -0700 |
|---|---|---|
| committer | Ningyuan Wang <nywang@google.com> | 2016-10-11 09:44:02 -0700 |
| commit | a5a18239096f6faee80f15f3fff39c3311898484 (patch) | |
| tree | dddbd13c5cbd1ff188ac9aa8d029c1ca79cf8c6c /service/jni | |
| parent | 1921acbf2c82dd0813b3734f2609fe6f971c9c2f (diff) | |
| download | android_frameworks_opt_net_wifi-a5a18239096f6faee80f15f3fff39c3311898484.tar.gz android_frameworks_opt_net_wifi-a5a18239096f6faee80f15f3fff39c3311898484.tar.bz2 android_frameworks_opt_net_wifi-a5a18239096f6faee80f15f3fff39c3311898484.zip | |
wifinative jni: check array length to prevent stack overflow
params.ap is an array with length MAX_HOTLIST_APS == 128
We should check that params.num_bssid does not exceed this value,
otherwise this could be a stack overflow security vulnerability.
CTS will be added in another CL.
Bug: 31856351
Change-Id: I807f349ceef5c2f5a46eec87515d3550f8288739
Test: compile, unit tests, manual test
Test: SafetyNet log not triggered under non-exploit conditions
Test: POC executable does not crash wifi anymore.
Diffstat (limited to 'service/jni')
| -rw-r--r-- | service/jni/com_android_server_wifi_WifiNative.cpp | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/service/jni/com_android_server_wifi_WifiNative.cpp b/service/jni/com_android_server_wifi_WifiNative.cpp index adc7402f2..e9e85ac9d 100644 --- a/service/jni/com_android_server_wifi_WifiNative.cpp +++ b/service/jni/com_android_server_wifi_WifiNative.cpp @@ -625,6 +625,13 @@ static jboolean android_net_wifi_setHotlist( return false; } + if (params.num_ap > + static_cast<int>(sizeof(params.ap) / sizeof(params.ap[0]))) { + ALOGE("setHotlist array length is too long"); + android_errorWriteLog(0x534e4554, "31856351"); + return false; + } + for (int i = 0; i < params.num_ap; i++) { jobject objAp = env->GetObjectArrayElement(array, i); |