wifinative jni: check array length to prevent stack overflow

Fix merge conflict into mnc-mr2-release

params.ap is an array with length MAX_HOTLIST_APS == 128
We should check that params.num_bssid does not exceed this value,
otherwise this could be a stack overflow security vulnerability.

CTS will be added in another CL.

Bug: 31856351
Test: compile, unit tests, manual test
Test: SafetyNet log not triggered under non-exploit conditions
Test: POC executable does not crash wifi anymore.
Change-Id: I99665d529985c89d581939126743c34ae885828c

1 files changed, 9 insertions, 2 deletions

diff --git a/service/jni/com_android_server_wifi_WifiNative.cpp b/service/jni/com_android_server_wifi_WifiNative.cpp
index 3242888..a153773 100644
--- a/service/jni/com_android_server_wifi_WifiNative.cpp
+++ b/service/jni/com_android_server_wifi_WifiNative.cpp
@@ -899,8 +899,15 @@ static jboolean android_net_wifi_setHotlist(
         return false;
     }
 
-    for (int i = 0; i < params.num_bssid; i++) {
-        JNIObject<jobject> objAp = helper.getObjectArrayElement(array, i);
+    if (params.num_ap >
+            static_cast<int>(sizeof(params.ap) / sizeof(params.ap[0]))) {
+        ALOGE("setHotlist array length is too long");
+        android_errorWriteLog(0x534e4554, "31856351");
+        return false;
+    }
+
+    for (int i = 0; i < params.num_ap; i++) {
+        jobject objAp = env->GetObjectArrayElement(array, i);
 
         JNIObject<jstring> macAddrString = helper.getStringField(objAp, "bssid");
         if (macAddrString == NULL) {