wifinative jni: check array length to prevent stack overflow

params.ap is an array with length MAX_HOTLIST_APS == 128
We should check that params.num_bssid does not exceed this value,
otherwise this could be a stack overflow security vulnerability.

CTS will be added in another CL.

CYNGNOS-3312
Bug: 31856351
Change-Id: I807f349ceef5c2f5a46eec87515d3550f8288739
Test: compile, unit tests, manual test
Test: SafetyNet log not triggered under non-exploit conditions
Test: POC executable does not crash wifi anymore.
(cherry picked from commit d8748b8faf9c002b59e059d52d49fcc5b7ca5887)

1 files changed, 7 insertions, 0 deletions

diff --git a/service/jni/com_android_server_wifi_WifiNative.cpp b/service/jni/com_android_server_wifi_WifiNative.cpp
index 2f6c363..1ed21b8 100644
--- a/service/jni/com_android_server_wifi_WifiNative.cpp
+++ b/service/jni/com_android_server_wifi_WifiNative.cpp
@@ -892,6 +892,13 @@ static jboolean android_net_wifi_setHotlist(
         return false;
     }
 
+    if (params.num_ap >
+            static_cast<int>(sizeof(params.ap) / sizeof(params.ap[0]))) {
+        ALOGE("setHotlist array length is too long");
+        android_errorWriteLog(0x534e4554, "31856351");
+        return false;
+    }
+
     for (int i = 0; i < params.num_bssid; i++) {
         JNIObject<jobject> objAp = helper.getObjectArrayElement(array, i);