cherry-pick: wifinative jni: check array length for trackSignificantWifiChange
params.ap is an array with length MAX_SIGNIFICANT_CHANGE_APS == 64
We should check that params.num_ap does not exceed this value,
otherwise this could be a stack overflow security vulnerability.
CTS test is not available because CTS test doesn't have the
privilege to access system API.
FPIIM-1366
Bug: 37207928
Test: compile
Test: SafetyNet log not triggered under non-exploit conditions
Change-Id: I541bacd5448124864f28ef1671edf065cc0e35ed
(cherry picked from commit dc96644e72bbac7b579c3ac4b8c5beed1fe7f0b6)
diff --git a/service/jni/com_android_server_wifi_WifiNative.cpp b/service/jni/com_android_server_wifi_WifiNative.cpp
index f3dfe43..1ad0b0b 100644
--- a/service/jni/com_android_server_wifi_WifiNative.cpp
+++ b/service/jni/com_android_server_wifi_WifiNative.cpp
@@ -43,6 +43,7 @@
namespace android {
static jint DBG = false;
+constexpr int SAFE_NET_LOG_ID = 0x534e4554;
//Please put all HAL function call here and call from the function table instead of directly call
static wifi_hal_fn hal_fn;
@@ -890,7 +891,7 @@
if (params.num_bssid >
static_cast<int>(sizeof(params.ap) / sizeof(params.ap[0]))) {
ALOGE("setHotlist array length is too long");
- android_errorWriteLog(0x534e4554, "31856351");
+ android_errorWriteLog(SAFE_NET_LOG_ID, "31856351");
return false;
}
@@ -1008,7 +1009,12 @@
ALOGE("Error in accessing array");
return false;
}
-
+ if (params.num_bssid >
+ static_cast<int>(sizeof(params.ap) / sizeof(params.ap[0]))) {
+ ALOGE("trackSignificantWifiChange array length is too long");
+ android_errorWriteLog(SAFE_NET_LOG_ID, "37775935");
+ return false;
+ }
ALOGD("Initialized common fields %d, %d, %d, %d", params.rssi_sample_size,
params.lost_ap_sample_size, params.min_breaching, params.num_bssid);