From bebdc4a3ae5000ac26c16071f26557eb7d8278d8 Mon Sep 17 00:00:00 2001 From: Ningyuan Wang Date: Thu, 6 Oct 2016 13:29:45 -0700 Subject: wifinative jni: check array length to prevent stack overflow Fix merge conflict into mnc-mr2-release params.ap is an array with length MAX_HOTLIST_APS == 128 We should check that params.num_bssid does not exceed this value, otherwise this could be a stack overflow security vulnerability. CTS will be added in another CL. Bug: 31856351 Test: compile, unit tests, manual test Test: SafetyNet log not triggered under non-exploit conditions Test: POC executable does not crash wifi anymore. Change-Id: I99665d529985c89d581939126743c34ae885828c --- service/jni/com_android_server_wifi_WifiNative.cpp | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/service/jni/com_android_server_wifi_WifiNative.cpp b/service/jni/com_android_server_wifi_WifiNative.cpp index 3242888..a153773 100644 --- a/service/jni/com_android_server_wifi_WifiNative.cpp +++ b/service/jni/com_android_server_wifi_WifiNative.cpp @@ -899,8 +899,15 @@ static jboolean android_net_wifi_setHotlist( return false; } - for (int i = 0; i < params.num_bssid; i++) { - JNIObject objAp = helper.getObjectArrayElement(array, i); + if (params.num_ap > + static_cast(sizeof(params.ap) / sizeof(params.ap[0]))) { + ALOGE("setHotlist array length is too long"); + android_errorWriteLog(0x534e4554, "31856351"); + return false; + } + + for (int i = 0; i < params.num_ap; i++) { + jobject objAp = env->GetObjectArrayElement(array, i); JNIObject macAddrString = helper.getStringField(objAp, "bssid"); if (macAddrString == NULL) { -- cgit v1.2.3