wifinative jni: check array length to prevent stack overflow

params.ap is an array with length MAX_HOTLIST_APS == 128
We should check that params.num_bssid does not exceed this value,
otherwise this could be a stack overflow security vulnerability.

CTS will be added in another CL.

Bug: 31856351
Change-Id: I807f349ceef5c2f5a46eec87515d3550f8288739
Test: compile, unit tests, manual test
Test: SafetyNet log not triggered under non-exploit conditions
Test: POC executable does not crash wifi anymore.
diff --git a/service/jni/com_android_server_wifi_WifiNative.cpp b/service/jni/com_android_server_wifi_WifiNative.cpp
index adc7402..e9e85ac 100644
--- a/service/jni/com_android_server_wifi_WifiNative.cpp
+++ b/service/jni/com_android_server_wifi_WifiNative.cpp
@@ -625,6 +625,13 @@
         return false;
     }
 
+    if (params.num_ap >
+            static_cast<int>(sizeof(params.ap) / sizeof(params.ap[0]))) {
+        ALOGE("setHotlist array length is too long");
+        android_errorWriteLog(0x534e4554, "31856351");
+        return false;
+    }
+
     for (int i = 0; i < params.num_ap; i++) {
         jobject objAp = env->GetObjectArrayElement(array, i);