commit a2b52c6ddbfd57b3529209782d9d13bafadab9ed
author Yingjie Wang <yingjiewang@codeaurora.org> Thu Aug 13 16:37:07 2020 +0800
committer Wayne Lin <waynewhlin@google.com> Wed Aug 19 08:31:19 2020 +0000
tree d1cb13c03e7ce6130ad0500f114353a48bfe5f3e
parent b24247527ca0d5e9852f6d9050f7c2b84c0cf9a2

[C2F2] Fix CFI sanitizer issue in SystemStatusNetworkInfo

Make uint8_t variable int8_t to avoid potential
sub overflow.

Bug: 163454256
Test: build pass and verify basic function pass
CRs-fixed: 2756196
Change-Id: I1a660166f759616ce585f5c51a18df9d9a9d6bcb

core/SystemStatus.h

diff --git a/core/SystemStatus.h b/core/SystemStatus.h
index 4d3a25e..f711a04 100644
--- a/core/SystemStatus.h
+++ b/core/SystemStatus.h
@@ -501,7 +501,7 @@
     inline SystemStatusNetworkInfo(const NetworkInfoDataItemBase& itemBase) :
             NetworkInfoDataItemBase(itemBase),
             mSrcObjPtr((NetworkInfoDataItemBase*)&itemBase) {
-        mType = itemBase.getType();
+        mType = (int32_t)itemBase.getType();
     }
     inline bool equals(const SystemStatusNetworkInfo& peer) {
         for (uint8_t i = 0; i < MAX_NETWORK_HANDLES; ++i) {
@@ -513,16 +513,16 @@
     }
     inline virtual SystemStatusItemBase& collate(SystemStatusItemBase& curInfo) {
         uint64_t allTypes = (static_cast<SystemStatusNetworkInfo&>(curInfo)).mAllTypes;
-        uint64_t networkHandle =
-                (static_cast<SystemStatusNetworkInfo&>(curInfo)).mNetworkHandle;
-        int32_t type = (static_cast<SystemStatusNetworkInfo&>(curInfo)).mType;
         // Replace current with cached table for now and then update
         memcpy(mAllNetworkHandles,
                (static_cast<SystemStatusNetworkInfo&>(curInfo)).getNetworkHandle(),
                sizeof(mAllNetworkHandles));
+        LOC_LOGd("NetworkInfo: allTypes=%" PRIx64 " mType=%x mConnected=%u mNetworkHandle=%" PRIx64 , allTypes, mType, mConnected, mNetworkHandle);
         if (mConnected) {
             mAllTypes |= allTypes;
             for (uint8_t i = 0; i < MAX_NETWORK_HANDLES; ++i) {
+            LOC_LOGd("NetworkInfo: mNetworkHandle[%u]: networkHandle %" PRIx64 ",  networkType %x", i, mAllNetworkHandles[i].networkHandle,
+                    mAllNetworkHandles[i].networkType);
                 if (mNetworkHandle == mAllNetworkHandles[i].networkHandle) {
                     LOC_LOGD("collate duplicate detected, not updating");
                     break;
@@ -542,21 +542,21 @@
                  ++lastValidIndex) {
                 // Maintain count for number of network handles still
                 // connected for given type
-                if (mType == mAllNetworkHandles[lastValidIndex].networkType) {
-                    typeCount++;
+                if (mType == (int32_t)mAllNetworkHandles[lastValidIndex].networkType) {
+                    if (mNetworkHandle == mAllNetworkHandles[lastValidIndex].networkHandle) {
+                        deletedIndex = lastValidIndex;
+                    } else {
+                        typeCount++;
+                    }
                 }
 
-                if (mNetworkHandle == mAllNetworkHandles[lastValidIndex].networkHandle) {
-                    deletedIndex = lastValidIndex;
-                    typeCount--;
-                }
             }
-            if (MAX_NETWORK_HANDLES == lastValidIndex) {
+            if (lastValidIndex > 0) {
                 --lastValidIndex;
             }
 
             if (MAX_NETWORK_HANDLES != deletedIndex) {
-                LOC_LOGD("deletedIndex:%u, lastValidIndex:%u, typeCount:%u",
+                LOC_LOGd("deletedIndex:%u, lastValidIndex:%u, typeCount:%u",
                         deletedIndex, lastValidIndex, typeCount);
                 mAllNetworkHandles[deletedIndex] = mAllNetworkHandles[lastValidIndex];
                 mAllNetworkHandles[lastValidIndex].networkHandle = NETWORK_HANDLE_UNKNOWN;