wifinative jni: check array length to prevent stack overflow am: a5a1823909

am: 02701729da Change-Id: I898dcf9c33d32150b07c3f38e199d40c92fd00e9
author: Ningyuan Wang <nywang@google.com> 2016-10-11 17:56:50 +0000
committer: android-build-merger <android-build-merger@google.com> 2016-10-11 17:56:50 +0000
commit: 849c5c7ba6d8670788efdd6977c306ca2a3069c7 (patch)
tree: 4d96b5bae14aae60805b20798a5a5c8c90f11407
parent: 444e06c4690f438672491641ac3198adc690e98c (diff)
parent: 02701729da8b2a8ddbaf70de39f1341f1eadde81 (diff)
download: wifi-849c5c7ba6d8670788efdd6977c306ca2a3069c7.tar.gz
1 files changed, 7 insertions, 0 deletions
diff --git a/service/jni/com_android_server_wifi_WifiNative.cpp b/service/jni/com_android_server_wifi_WifiNative.cpp
index adc7402f2..e9e85ac9d 100644
--- a/service/jni/com_android_server_wifi_WifiNative.cpp
+++ b/service/jni/com_android_server_wifi_WifiNative.cpp
@@ -625,6 +625,13 @@ static jboolean android_net_wifi_setHotlist(
         return false;
     }
 
+    if (params.num_ap >
+            static_cast<int>(sizeof(params.ap) / sizeof(params.ap[0]))) {
+        ALOGE("setHotlist array length is too long");
+        android_errorWriteLog(0x534e4554, "31856351");
+        return false;
+    }
+
     for (int i = 0; i < params.num_ap; i++) {
         jobject objAp = env->GetObjectArrayElement(array, i);
author	Ningyuan Wang <nywang@google.com>	2016-10-11 17:56:50 +0000
committer	android-build-merger <android-build-merger@google.com>	2016-10-11 17:56:50 +0000
commit	849c5c7ba6d8670788efdd6977c306ca2a3069c7 (patch)
tree	4d96b5bae14aae60805b20798a5a5c8c90f11407
parent	444e06c4690f438672491641ac3198adc690e98c (diff)
parent	02701729da8b2a8ddbaf70de39f1341f1eadde81 (diff)
download	wifi-849c5c7ba6d8670788efdd6977c306ca2a3069c7.tar.gz