From 2f05eff93e2503c9f29a0d7ede62c71c430ccf5f Mon Sep 17 00:00:00 2001
From: vandwalle <vandwalle@google.com>
Date: Mon, 12 Jan 2015 12:42:43 -0800
Subject: prevent null BSSID being inject as scan results Bug:18917134

Change-Id: I0c4d0a2bd5383bac473a588af89589bf70f47c6c
---
 .../java/com/android/server/wifi/WifiStateMachine.java    | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

(limited to 'service')

diff --git a/service/java/com/android/server/wifi/WifiStateMachine.java b/service/java/com/android/server/wifi/WifiStateMachine.java
index 87e0c3af5..73940b1fa 100644
--- a/service/java/com/android/server/wifi/WifiStateMachine.java
+++ b/service/java/com/android/server/wifi/WifiStateMachine.java
@@ -122,6 +122,7 @@ import java.util.Locale;
 import java.util.Queue;
 import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.concurrent.atomic.AtomicInteger;
+import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
 /**
@@ -3286,6 +3287,9 @@ public class WifiStateMachine extends StateMachine {
 
     int emptyScanResultCount = 0;
 
+    // Used for matching BSSID strings, at least one characteer must be a non-zero number
+    private static Pattern mNotZero = Pattern.compile("[1-9a-fA-F]");
+
     /**
      * Format:
      *
@@ -3399,7 +3403,11 @@ public class WifiStateMachine extends StateMachine {
                     wifiSsid = WifiSsid.createFromAsciiEncoded(
                             line.substring(SSID_STR.length()));
                 } else if (line.startsWith(DELIMITER_STR) || line.startsWith(END_STR)) {
-                    if (bssid != null) {
+                    Matcher match = null;
+                    if (bssid!= null) {
+                        match = mNotZero.matcher(bssid);
+                    }
+                    if (match != null && !bssid.isEmpty() && match.find()) {
                         String ssid = (wifiSsid != null) ? wifiSsid.toString() : WifiSsid.NONE;
                         String key = bssid + ssid;
                         ScanResult scanResult = mScanResultCache.get(key);
@@ -3424,6 +3432,11 @@ public class WifiStateMachine extends StateMachine {
                         mNumScanResultsReturned ++; // Keep track of how many scan results we got
                                                     // as part of this scan's processing
                         mScanResults.add(scanResult);
+                    } else {
+                        if (bssid != null)  {
+                            loge("setScanResults obtaining null BSSID results <"
+                                + bssid + ">, discard it");
+                        }
                     }
                     bssid = null;
                     level = 0;
-- 
cgit v1.2.3