Handle IEs with Extension present and zero length

This commit handles malformed information elements with Id indicating extension is present, but with length of zero. This is not a valid length since at least there should be one octet to carry the extension id. Bug: 147274004 Test: atest FrameworksWifiTests Change-Id: I8d3af6cb5833849785fce2530788301e5c849968
author: Ahmed ElArabawy <arabawy@google.com> 2020-01-08 14:28:18 -0800
committer: Ahmed ElArabawy <arabawy@google.com> 2020-01-08 15:49:10 -0800
commit: 2408148c754fd712d874309e94f0c6e6355ddbdc (patch)
tree: 36aaf9a1acb96c2e45f938f6eaf848c7a52388e0
parent: 87a9d2c5096fec3ccad92ff09c8c3f7f18fad017 (diff)
2 files changed, 36 insertions, 3 deletions
diff --git a/service/java/com/android/server/wifi/util/InformationElementUtil.java b/service/java/com/android/server/wifi/util/InformationElementUtil.java
index 3ee5d8c9f..a00cf3143 100644
--- a/service/java/com/android/server/wifi/util/InformationElementUtil.java
+++ b/service/java/com/android/server/wifi/util/InformationElementUtil.java
@@ -61,6 +61,10 @@ public class InformationElementUtil {
             if (eid == InformationElement.EID_SSID) {
                 found_ssid = true;
             } else if (eid == InformationElement.EID_EXTENSION_PRESENT) {
+                if (elementLength == 0) {
+                    // Malformed IE, skipping
+                    break;
+                }
                 eidExt = data.get() & Constants.BYTE_MASK;
                 elementLength--;
             }
diff --git a/tests/wifitests/src/com/android/server/wifi/util/InformationElementUtilTest.java b/tests/wifitests/src/com/android/server/wifi/util/InformationElementUtilTest.java
index 729c09c14..c8c853704 100644
--- a/tests/wifitests/src/com/android/server/wifi/util/InformationElementUtilTest.java
+++ b/tests/wifitests/src/com/android/server/wifi/util/InformationElementUtilTest.java
@@ -86,7 +86,7 @@ public class InformationElementUtilTest extends WifiBaseTest {
      * Expect parseInformationElement to return an empty InformationElement array.
      */
     @Test
-    public void parseInformationElements_withEmptyByteArray() {
+    public void parseInformationElements_withEmptyByteArray() throws IOException {
         byte[] emptyBytes = new byte[0];
         InformationElement[] results =
                 InformationElementUtil.parseInformationElements(emptyBytes);
@@ -95,16 +95,45 @@ public class InformationElementUtilTest extends WifiBaseTest {
 
     /**
      * Test parseInformationElements called with a null parameter.
-     * Expect parseInfomrationElement to return an empty InformationElement array.
+     * Expect parseInformationElement to return an empty InformationElement array.
      */
     @Test
-    public void parseInformationElements_withNullBytes() {
+    public void parseInformationElements_withNullBytes() throws IOException {
         byte[] nullBytes = null;
         InformationElement[] results =
                 InformationElementUtil.parseInformationElements(nullBytes);
         assertEquals("parsed results should be empty", 0, results.length);
     }
 
+    /**
+     * Test parseInformationElements called with a zero length, and extension id.
+     * Expect parseInformationElement to return an empty InformationElement array.
+     */
+    @Test
+    public void parseInformationElements_withZeroLengthAndExtensionId() throws IOException {
+        byte[] bytes = { (byte) 0xFF, (byte) 0x00 };
+        InformationElement[] results =
+                InformationElementUtil.parseInformationElements(bytes);
+        assertEquals("parsed results should be empty", 0, results.length);
+    }
+
+    /**
+     * Test parseInformationElements called with a zero length, and extension id after
+     * other IEs.
+     * Expect parseInformationElement to parse the IEs prior to the malformed IE.
+     */
+    @Test
+    public void parseInformationElements_withZeroLengthAndExtensionIdAfterAnotherIe()
+            throws IOException {
+        byte[] malFormedIEbytes = { (byte) 0xFF, (byte) 0x00 };
+        byte[] bytes = concatenateByteArrays(TEST_BSS_LOAD_BYTES_IE, malFormedIEbytes);
+        InformationElement[] results =
+                InformationElementUtil.parseInformationElements(bytes);
+        assertEquals("parsed results should have 1 IE", 1, results.length);
+        assertEquals("Parsed element should be a BSS_LOAD tag",
+                InformationElement.EID_BSS_LOAD, results[0].id);
+    }
+
     /*
      * Test parseInformationElements with a single element represented in the byte array.
      * Expect a single element to be returned in the InformationElements array.  The
author	Ahmed ElArabawy <arabawy@google.com>	2020-01-08 14:28:18 -0800
committer	Ahmed ElArabawy <arabawy@google.com>	2020-01-08 15:49:10 -0800
commit	2408148c754fd712d874309e94f0c6e6355ddbdc (patch)
tree	36aaf9a1acb96c2e45f938f6eaf848c7a52388e0
parent	87a9d2c5096fec3ccad92ff09c8c3f7f18fad017 (diff)