[AWARE] Add UID checking to WifiAware network specifier

Wifi Aware networks are tied to a specific session - which
is tied to a specific UID. Change verifies that a network
requestor is only using session contexts which are owned by
the same UID.

Bug: 36053921
Test: integration (sl4a) tests
Change-Id: Ife235e3d3f509d3425614ef1392c20f2b127c88f

1 files changed, 7 insertions, 2 deletions

diff --git a/service/java/com/android/server/wifi/aware/WifiAwareDataPathStateManager.java b/service/java/com/android/server/wifi/aware/WifiAwareDataPathStateManager.java
index 14d855e00..723828d7f 100644
--- a/service/java/com/android/server/wifi/aware/WifiAwareDataPathStateManager.java
+++ b/service/java/com/android/server/wifi/aware/WifiAwareDataPathStateManager.java
@@ -592,8 +592,6 @@ public class WifiAwareDataPathStateManager {
                 return true;
             }
 
-            // TODO: validate that the client ID actually comes from the correct process and is
-            // not faked?
             nnri = AwareNetworkRequestInformation.processNetworkSpecifier(networkSpecifier, mMgr);
             if (nnri == null) {
                 Log.e(TAG, "WifiAwareNetworkFactory.acceptRequest: request=" + request
@@ -903,6 +901,13 @@ public class WifiAwareDataPathStateManager {
                 }
             }
 
+            // validate UID
+            if (ns.requestorUid != uid) {
+                Log.e(TAG, "processNetworkSpecifier: networkSpecifier=" + ns.toString()
+                        + " -- UID mismatch to clientId's uid=" + uid);
+                return null;
+            }
+
             // create container and populate
             AwareNetworkRequestInformation nnri = new AwareNetworkRequestInformation();
             nnri.state = (ns.role == WifiAwareManager.WIFI_AWARE_DATA_PATH_ROLE_INITIATOR)