resolve merge conflicts of 849c5c7 to mnc-dev

This resovles the merge conflict for ag/1514448/ After Android M, this function uses num_bssid instead of num_ap. Both are prone to stack overflow attacks. Bug: 31856351 Test: compile, unit tests, manual test Change-Id: I194850a4c79ddf478d98e750f65b24e82d99ebc0
author: Ningyuan Wang <nywang@google.com> 2016-10-11 11:42:12 -0700
committer: Ningyuan Wang <nywang@google.com> 2016-10-11 11:43:53 -0700
commit: 29a2baf3195256bab6a0a4a2d07b7f2efa46b614 (patch)
tree: 1c9497f5ac41c008466314545ce4401d48fcb148 /service
parent: 6154eb070b9f224a8daebf0a852d61f07d2c5cf3 (diff)
parent: 849c5c7ba6d8670788efdd6977c306ca2a3069c7 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/service/jni/com_android_server_wifi_WifiNative.cpp b/service/jni/com_android_server_wifi_WifiNative.cpp
index 14f7b9631..bf073f7cd 100644
--- a/service/jni/com_android_server_wifi_WifiNative.cpp
+++ b/service/jni/com_android_server_wifi_WifiNative.cpp
@@ -821,6 +821,13 @@ static jboolean android_net_wifi_setHotlist(
         return false;
     }
 
+    if (params.num_bssid >
+            static_cast<int>(sizeof(params.ap) / sizeof(params.ap[0]))) {
+        ALOGE("setHotlist array length is too long");
+        android_errorWriteLog(0x534e4554, "31856351");
+        return false;
+    }
+
     for (int i = 0; i < params.num_bssid; i++) {
         JNIObject<jobject> objAp = helper.getObjectArrayElement(array, i);
author	Ningyuan Wang <nywang@google.com>	2016-10-11 11:42:12 -0700
committer	Ningyuan Wang <nywang@google.com>	2016-10-11 11:43:53 -0700
commit	29a2baf3195256bab6a0a4a2d07b7f2efa46b614 (patch)
tree	1c9497f5ac41c008466314545ce4401d48fcb148 /service
parent	6154eb070b9f224a8daebf0a852d61f07d2c5cf3 (diff)
parent	849c5c7ba6d8670788efdd6977c306ca2a3069c7 (diff)