[AWARE] Protect string copy against buffer overflow
Fixes: 143789898
Test: (Unit) atest com.android.server.wifi
Test: ACTS ThroughputTest:test_iperf_single_ndp_aware_only_ib
Test: (VTS) atest VtsHalWifiApV1_4TargetTest
Change-Id: I5b8aa1d9a6388fe20cb7e1cd6a76d5e59e14d099
diff --git a/wifi/1.3/default/hidl_struct_util.cpp b/wifi/1.3/default/hidl_struct_util.cpp
index 2e4db70..d305c09 100644
--- a/wifi/1.3/default/hidl_struct_util.cpp
+++ b/wifi/1.3/default/hidl_struct_util.cpp
@@ -1819,7 +1819,13 @@
convertHidlNanDataPathChannelCfgToLegacy(
hidl_request.channelRequestType);
legacy_request->channel = hidl_request.channel;
- strcpy(legacy_request->ndp_iface, hidl_request.ifaceName.c_str());
+ if (strnlen(hidl_request.ifaceName.c_str(), IFNAMSIZ + 1) == IFNAMSIZ + 1) {
+ LOG(ERROR) << "convertHidlNanDataPathInitiatorRequestToLegacy: "
+ "ifaceName too long";
+ return false;
+ }
+ strncpy(legacy_request->ndp_iface, hidl_request.ifaceName.c_str(),
+ IFNAMSIZ + 1);
legacy_request->ndp_cfg.security_cfg =
(hidl_request.securityConfig.securityType !=
NanDataPathSecurityType::OPEN)
@@ -1900,7 +1906,13 @@
? legacy_hal::NAN_DP_REQUEST_ACCEPT
: legacy_hal::NAN_DP_REQUEST_REJECT;
legacy_request->ndp_instance_id = hidl_request.ndpInstanceId;
- strcpy(legacy_request->ndp_iface, hidl_request.ifaceName.c_str());
+ if (strnlen(hidl_request.ifaceName.c_str(), IFNAMSIZ + 1) == IFNAMSIZ + 1) {
+ LOG(ERROR) << "convertHidlNanDataPathIndicationResponseToLegacy: "
+ "ifaceName too long";
+ return false;
+ }
+ strncpy(legacy_request->ndp_iface, hidl_request.ifaceName.c_str(),
+ IFNAMSIZ + 1);
legacy_request->ndp_cfg.security_cfg =
(hidl_request.securityConfig.securityType !=
NanDataPathSecurityType::OPEN)