cherry-pick: wifinative jni: check array length for trackSignificantWifiChange
params.ap is an array with length MAX_SIGNIFICANT_CHANGE_APS == 64
We should check that params.num_ap does not exceed this value,
otherwise this could be a stack overflow security vulnerability.
CTS test is not available because CTS test doesn't have the
privilege to access system API.
Bug: 37207928
Test: compile
Test: SafetyNet log not triggered under non-exploit conditions
Change-Id: I541bacd5448124864f28ef1671edf065cc0e35ed
(cherry picked from commit dc96644e72bbac7b579c3ac4b8c5beed1fe7f0b6)
diff --git a/service/jni/com_android_server_wifi_WifiNative.cpp b/service/jni/com_android_server_wifi_WifiNative.cpp
index ad7d464..ffd5b55 100644
--- a/service/jni/com_android_server_wifi_WifiNative.cpp
+++ b/service/jni/com_android_server_wifi_WifiNative.cpp
@@ -49,6 +49,7 @@
jint Java_com_android_server_wifi_WifiNative_registerNanNatives(JNIEnv* env, jclass clazz);
static jint DBG = false;
+constexpr int SAFE_NET_LOG_ID = 0x534e4554;
//Please put all HAL function call here and call from the function table instead of directly call
wifi_hal_fn hal_fn;
@@ -790,7 +791,7 @@
if (params.num_bssid >
static_cast<int>(sizeof(params.ap) / sizeof(params.ap[0]))) {
ALOGE("setHotlist array length is too long");
- android_errorWriteLog(0x534e4554, "31856351");
+ android_errorWriteLog(SAFE_NET_LOG_ID, "31856351");
return false;
}
@@ -909,7 +910,12 @@
ALOGE("BssidInfo array length was 0");
return false;
}
-
+ if (params.num_bssid >
+ static_cast<int>(sizeof(params.ap) / sizeof(params.ap[0]))) {
+ ALOGE("trackSignificantWifiChange array length is too long");
+ android_errorWriteLog(SAFE_NET_LOG_ID, "37775935");
+ return false;
+ }
ALOGD("Initialized common fields %d, %d, %d, %d", params.rssi_sample_size,
params.lost_ap_sample_size, params.min_breaching, params.num_bssid);