diff options
| author | Legrand Benjamin <android@legrand.ws> | 2015-11-26 22:07:08 +0100 |
|---|---|---|
| committer | Alberto97 <albertop2197@gmail.com> | 2016-03-17 12:32:10 +0100 |
| commit | 8afb31bb0e93107642b96d4380fedcf832688e95 (patch) | |
| tree | 3931bce72c134cf93e364caea9dfd916957ccab0 /service | |
| parent | 81f882faf55fdc6411077bc42a850b563d61c9fd (diff) | |
| download | frameworks_opt_net_wifi-8afb31bb0e93107642b96d4380fedcf832688e95.tar.gz frameworks_opt_net_wifi-8afb31bb0e93107642b96d4380fedcf832688e95.tar.bz2 frameworks_opt_net_wifi-8afb31bb0e93107642b96d4380fedcf832688e95.zip | |
WifiScanningService: Fix invalid offset error
The code currently assumes that mSettings.buckets is at least as
large as mTimeBuckets. The length of mSettings.buckets is determined
at runtime by querying the kernel via the WiFi HAL. In the event
that the query fails, the mSettings.buckets array will have a zero
size. The code will then try to access a nonexistent element in the
zero length array, leading to an array bounds error that brings down
the whole Android runtime.
This check protects against the crash that would occur when the
mSettings.buckets array is undersized.
Change-Id: Ic3fffd82c745922bd6378062ee188841880895a2
Diffstat (limited to 'service')
| -rw-r--r-- | service/java/com/android/server/wifi/WifiScanningServiceImpl.java | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/service/java/com/android/server/wifi/WifiScanningServiceImpl.java b/service/java/com/android/server/wifi/WifiScanningServiceImpl.java index a0f5061..9038b4e 100644 --- a/service/java/com/android/server/wifi/WifiScanningServiceImpl.java +++ b/service/java/com/android/server/wifi/WifiScanningServiceImpl.java @@ -1004,7 +1004,7 @@ public class WifiScanningServiceImpl extends IWifiScanner.Stub { } int bestBucketIndex = -1; // best by period - for (int i = 0; i < mTimeBuckets.length; i++) { + for (int i = 0; i < mTimeBuckets.length && i < mSettings.buckets.length; i++) { TimeBucket bucket = mTimeBuckets[i]; if (bucket.periodMinInSecond * 1000 <= settings.periodInMs && settings.periodInMs < bucket.periodMaxInSecond * 1000) { |