From e3f551d31eedc7fa6af90412b6596ca0052f90d2 Mon Sep 17 00:00:00 2001
From: Ningyuan Wang <nywang@google.com>
Date: Mon, 15 May 2017 14:24:41 -0700
Subject: cherry-pick: wifinative jni: check array length for
 trackSignificantWifiChange

params.ap is an array with length MAX_SIGNIFICANT_CHANGE_APS == 64
We should check that params.num_ap does not exceed this value,
otherwise this could be a stack overflow security vulnerability.

CTS test is not available because  CTS test doesn't have the
privilege to access system API.

Bug: 37207928
Test: compile
Test: SafetyNet log not triggered under non-exploit conditions

Change-Id: I541bacd5448124864f28ef1671edf065cc0e35ed
(cherry picked from commit dc96644e72bbac7b579c3ac4b8c5beed1fe7f0b6)
---
 service/jni/com_android_server_wifi_WifiNative.cpp | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/service/jni/com_android_server_wifi_WifiNative.cpp b/service/jni/com_android_server_wifi_WifiNative.cpp
index ad7d464ae..ffd5b559f 100644
--- a/service/jni/com_android_server_wifi_WifiNative.cpp
+++ b/service/jni/com_android_server_wifi_WifiNative.cpp
@@ -49,6 +49,7 @@ extern "C"
 jint Java_com_android_server_wifi_WifiNative_registerNanNatives(JNIEnv* env, jclass clazz);
 
 static jint DBG = false;
+constexpr int SAFE_NET_LOG_ID = 0x534e4554;
 
 //Please put all HAL function call here and call from the function table instead of directly call
 wifi_hal_fn hal_fn;
@@ -790,7 +791,7 @@ static jboolean android_net_wifi_setHotlist(
     if (params.num_bssid >
             static_cast<int>(sizeof(params.ap) / sizeof(params.ap[0]))) {
         ALOGE("setHotlist array length is too long");
-        android_errorWriteLog(0x534e4554, "31856351");
+        android_errorWriteLog(SAFE_NET_LOG_ID, "31856351");
         return false;
     }
 
@@ -909,7 +910,12 @@ static jboolean android_net_wifi_trackSignificantWifiChange(
         ALOGE("BssidInfo array length was 0");
         return false;
     }
-
+    if (params.num_bssid >
+        static_cast<int>(sizeof(params.ap) / sizeof(params.ap[0]))) {
+        ALOGE("trackSignificantWifiChange array length is too long");
+        android_errorWriteLog(SAFE_NET_LOG_ID, "37775935");
+        return false;
+    }
     ALOGD("Initialized common fields %d, %d, %d, %d", params.rssi_sample_size,
             params.lost_ap_sample_size, params.min_breaching, params.num_bssid);
 
-- 
cgit v1.2.3