From d6b4e6279ed4688220940de63249525df854fa61 Mon Sep 17 00:00:00 2001 From: Ningyuan Wang Date: Thu, 6 Oct 2016 13:29:45 -0700 Subject: wifinative jni: check array length to prevent stack overflow params.ap is an array with length MAX_HOTLIST_APS == 128 We should check that params.num_bssid does not exceed this value, otherwise this could be a stack overflow security vulnerability. CTS will be added in another CL. CYNGNOS-3312 Bug: 31856351 Change-Id: I807f349ceef5c2f5a46eec87515d3550f8288739 Test: compile, unit tests, manual test Test: SafetyNet log not triggered under non-exploit conditions Test: POC executable does not crash wifi anymore. (cherry picked from commit d8748b8faf9c002b59e059d52d49fcc5b7ca5887) --- service/jni/com_android_server_wifi_WifiNative.cpp | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/service/jni/com_android_server_wifi_WifiNative.cpp b/service/jni/com_android_server_wifi_WifiNative.cpp index 2f6c363cc..1ed21b810 100644 --- a/service/jni/com_android_server_wifi_WifiNative.cpp +++ b/service/jni/com_android_server_wifi_WifiNative.cpp @@ -892,6 +892,13 @@ static jboolean android_net_wifi_setHotlist( return false; } + if (params.num_ap > + static_cast(sizeof(params.ap) / sizeof(params.ap[0]))) { + ALOGE("setHotlist array length is too long"); + android_errorWriteLog(0x534e4554, "31856351"); + return false; + } + for (int i = 0; i < params.num_bssid; i++) { JNIObject objAp = helper.getObjectArrayElement(array, i); -- cgit v1.2.3