From dc96644e72bbac7b579c3ac4b8c5beed1fe7f0b6 Mon Sep 17 00:00:00 2001 From: Ningyuan Wang Date: Mon, 15 May 2017 14:24:41 -0700 Subject: cherry-pick: wifinative jni: check array length for trackSignificantWifiChange params.ap is an array with length MAX_SIGNIFICANT_CHANGE_APS == 64 We should check that params.num_ap does not exceed this value, otherwise this could be a stack overflow security vulnerability. CTS test is not available because CTS test doesn't have the privilege to access system API. Bug: 37207928 Test: compile Test: SafetyNet log not triggered under non-exploit conditions Change-Id: I541bacd5448124864f28ef1671edf065cc0e35ed --- service/jni/com_android_server_wifi_WifiNative.cpp | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'service') diff --git a/service/jni/com_android_server_wifi_WifiNative.cpp b/service/jni/com_android_server_wifi_WifiNative.cpp index bf073f7cd..4da9b9623 100644 --- a/service/jni/com_android_server_wifi_WifiNative.cpp +++ b/service/jni/com_android_server_wifi_WifiNative.cpp @@ -38,6 +38,7 @@ namespace android { static jint DBG = false; +constexpr int SAFE_NET_LOG_ID = 0x534e4554; //Please put all HAL function call here and call from the function table instead of directly call static wifi_hal_fn hal_fn; @@ -824,7 +825,7 @@ static jboolean android_net_wifi_setHotlist( if (params.num_bssid > static_cast(sizeof(params.ap) / sizeof(params.ap[0]))) { ALOGE("setHotlist array length is too long"); - android_errorWriteLog(0x534e4554, "31856351"); + android_errorWriteLog(SAFE_NET_LOG_ID, "31856351"); return false; } @@ -942,7 +943,12 @@ static jboolean android_net_wifi_trackSignificantWifiChange( ALOGE("Error in accessing array"); return false; } - + if (params.num_bssid > + static_cast(sizeof(params.ap) / sizeof(params.ap[0]))) { + ALOGE("trackSignificantWifiChange array length is too long"); + android_errorWriteLog(SAFE_NET_LOG_ID, "37775935"); + return false; + } ALOGD("Initialized common fields %d, %d, %d, %d", params.rssi_sample_size, params.lost_ap_sample_size, params.min_breaching, params.num_bssid); -- cgit v1.2.3