diff options
| author | Etan Cohen <etancohen@google.com> | 2019-11-25 11:41:58 -0800 |
|---|---|---|
| committer | Bryan Ferris <bferris@google.com> | 2019-12-18 15:08:00 -0800 |
| commit | 5039b6099ea82f158f1318fd2be3a141dd0bd54e (patch) | |
| tree | 308a84e35022e30b0391d1c3c0a7de34d4927bda | |
| parent | df3648e4ff8dbadde70f8196c9d6fb3ad1611ba9 (diff) | |
| download | android_hardware_interfaces-5039b6099ea82f158f1318fd2be3a141dd0bd54e.tar.gz android_hardware_interfaces-5039b6099ea82f158f1318fd2be3a141dd0bd54e.tar.bz2 android_hardware_interfaces-5039b6099ea82f158f1318fd2be3a141dd0bd54e.zip | |
[AWARE] Protect string copy against buffer overflow
Fixes: 143789898
Test: (Unit) atest com.android.server.wifi
Test: ACTS ThroughputTest:test_iperf_single_ndp_aware_only_ib
Test: (VTS) atest VtsHalWifiApV1_4TargetTest
Change-Id: I5b8aa1d9a6388fe20cb7e1cd6a76d5e59e14d099
| -rw-r--r-- | wifi/1.3/default/hidl_struct_util.cpp | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/wifi/1.3/default/hidl_struct_util.cpp b/wifi/1.3/default/hidl_struct_util.cpp index 2e4db7048..d305c0997 100644 --- a/wifi/1.3/default/hidl_struct_util.cpp +++ b/wifi/1.3/default/hidl_struct_util.cpp @@ -1819,7 +1819,13 @@ bool convertHidlNanDataPathInitiatorRequestToLegacy( convertHidlNanDataPathChannelCfgToLegacy( hidl_request.channelRequestType); legacy_request->channel = hidl_request.channel; - strcpy(legacy_request->ndp_iface, hidl_request.ifaceName.c_str()); + if (strnlen(hidl_request.ifaceName.c_str(), IFNAMSIZ + 1) == IFNAMSIZ + 1) { + LOG(ERROR) << "convertHidlNanDataPathInitiatorRequestToLegacy: " + "ifaceName too long"; + return false; + } + strncpy(legacy_request->ndp_iface, hidl_request.ifaceName.c_str(), + IFNAMSIZ + 1); legacy_request->ndp_cfg.security_cfg = (hidl_request.securityConfig.securityType != NanDataPathSecurityType::OPEN) @@ -1900,7 +1906,13 @@ bool convertHidlNanDataPathIndicationResponseToLegacy( ? legacy_hal::NAN_DP_REQUEST_ACCEPT : legacy_hal::NAN_DP_REQUEST_REJECT; legacy_request->ndp_instance_id = hidl_request.ndpInstanceId; - strcpy(legacy_request->ndp_iface, hidl_request.ifaceName.c_str()); + if (strnlen(hidl_request.ifaceName.c_str(), IFNAMSIZ + 1) == IFNAMSIZ + 1) { + LOG(ERROR) << "convertHidlNanDataPathIndicationResponseToLegacy: " + "ifaceName too long"; + return false; + } + strncpy(legacy_request->ndp_iface, hidl_request.ifaceName.c_str(), + IFNAMSIZ + 1); legacy_request->ndp_cfg.security_cfg = (hidl_request.securityConfig.securityType != NanDataPathSecurityType::OPEN) |