From 5039b6099ea82f158f1318fd2be3a141dd0bd54e Mon Sep 17 00:00:00 2001
From: Etan Cohen <etancohen@google.com>
Date: Mon, 25 Nov 2019 11:41:58 -0800
Subject: [AWARE] Protect string copy against buffer overflow

Fixes: 143789898
Test: (Unit) atest com.android.server.wifi
Test: ACTS ThroughputTest:test_iperf_single_ndp_aware_only_ib
Test: (VTS) atest VtsHalWifiApV1_4TargetTest
Change-Id: I5b8aa1d9a6388fe20cb7e1cd6a76d5e59e14d099
---
 wifi/1.3/default/hidl_struct_util.cpp | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/wifi/1.3/default/hidl_struct_util.cpp b/wifi/1.3/default/hidl_struct_util.cpp
index 2e4db7048..d305c0997 100644
--- a/wifi/1.3/default/hidl_struct_util.cpp
+++ b/wifi/1.3/default/hidl_struct_util.cpp
@@ -1819,7 +1819,13 @@ bool convertHidlNanDataPathInitiatorRequestToLegacy(
         convertHidlNanDataPathChannelCfgToLegacy(
             hidl_request.channelRequestType);
     legacy_request->channel = hidl_request.channel;
-    strcpy(legacy_request->ndp_iface, hidl_request.ifaceName.c_str());
+    if (strnlen(hidl_request.ifaceName.c_str(), IFNAMSIZ + 1) == IFNAMSIZ + 1) {
+        LOG(ERROR) << "convertHidlNanDataPathInitiatorRequestToLegacy: "
+                      "ifaceName too long";
+        return false;
+    }
+    strncpy(legacy_request->ndp_iface, hidl_request.ifaceName.c_str(),
+            IFNAMSIZ + 1);
     legacy_request->ndp_cfg.security_cfg =
         (hidl_request.securityConfig.securityType !=
          NanDataPathSecurityType::OPEN)
@@ -1900,7 +1906,13 @@ bool convertHidlNanDataPathIndicationResponseToLegacy(
                                    ? legacy_hal::NAN_DP_REQUEST_ACCEPT
                                    : legacy_hal::NAN_DP_REQUEST_REJECT;
     legacy_request->ndp_instance_id = hidl_request.ndpInstanceId;
-    strcpy(legacy_request->ndp_iface, hidl_request.ifaceName.c_str());
+    if (strnlen(hidl_request.ifaceName.c_str(), IFNAMSIZ + 1) == IFNAMSIZ + 1) {
+        LOG(ERROR) << "convertHidlNanDataPathIndicationResponseToLegacy: "
+                      "ifaceName too long";
+        return false;
+    }
+    strncpy(legacy_request->ndp_iface, hidl_request.ifaceName.c_str(),
+            IFNAMSIZ + 1);
     legacy_request->ndp_cfg.security_cfg =
         (hidl_request.securityConfig.securityType !=
          NanDataPathSecurityType::OPEN)
-- 
cgit v1.2.3