diff options
| author | Vinit Deshpande <vinitd@google.com> | 2014-11-15 00:04:17 +0000 |
|---|---|---|
| committer | Android (Google) Code Review <android-gerrit@google.com> | 2014-11-15 00:04:18 +0000 |
| commit | fb29a19d6401f75c72be6bacd9171fc974e3b07d (patch) | |
| tree | 5ed24eabc5f31de3d05a8b1c3ad859ff72ae30cd | |
| parent | 1d1a18d00e2dfd8b29aee3e3ea48d188c5b630ff (diff) | |
| parent | e7b9e74a9a699e74881e5c98c684567763dfaa35 (diff) | |
| download | wifi-fb29a19d6401f75c72be6bacd9171fc974e3b07d.tar.gz | |
Merge "Fix a crash in parsing beacon IEs" into lmp-mr1-dev
| -rw-r--r-- | service/java/com/android/server/wifi/WifiNative.java | 26 |
1 files changed, 15 insertions, 11 deletions
diff --git a/service/java/com/android/server/wifi/WifiNative.java b/service/java/com/android/server/wifi/WifiNative.java index 72e020bce..2e82a462b 100644 --- a/service/java/com/android/server/wifi/WifiNative.java +++ b/service/java/com/android/server/wifi/WifiNative.java @@ -1280,15 +1280,21 @@ public class WifiNative { if (DBG) Log.i(TAG, "Got a full scan results event, ssid = " + result.SSID + ", " + "num = " + bytes.length); + if (sScanEventHandler == null) { + return; + } + int num = 0; for (int i = 0; i < bytes.length; ) { - num++; - int type = (int) bytes[i] & 0xFF; - int len = (int) bytes[i + 1] & 0xFF; - if (len < 0) { - Log.e(TAG, "bad length; returning"); - return; + int type = bytes[i] & 0xFF; + int len = bytes[i + 1] & 0xFF; + + if (i + len + 2 > bytes.length) { + Log.w(TAG, "bad length " + len + " of IE " + type + " from " + result.BSSID); + Log.w(TAG, "ignoring the rest of the IEs"); + break; } + num++; i += len + 2; if (DBG) Log.i(TAG, "bytes[" + i + "] = [" + type + ", " + len + "]" + ", " + "next = " + i); @@ -1296,8 +1302,8 @@ public class WifiNative { ScanResult.InformationElement elements[] = new ScanResult.InformationElement[num]; for (int i = 0, index = 0; i < num; i++) { - int type = (int) bytes[index] & 0xFF; - int len = (int) bytes[index + 1] & 0xFF; + int type = bytes[index] & 0xFF; + int len = bytes[index + 1] & 0xFF; if (DBG) Log.i(TAG, "index = " + index + ", type = " + type + ", len = " + len); ScanResult.InformationElement elem = new ScanResult.InformationElement(); elem.id = type; @@ -1310,9 +1316,7 @@ public class WifiNative { } result.informationElements = elements; - if (sScanEventHandler != null) { - sScanEventHandler.onFullScanResult(result); - } + sScanEventHandler.onFullScanResult(result); } private static int sScanCmdId = 0; |