From e900b04a91fd87e4d706be7ae3499d5fb9995188 Mon Sep 17 00:00:00 2001 From: Kevin Cernekee Date: Sun, 30 Aug 2015 10:42:04 -0700 Subject: wifi_hal: Fix array overflow retrieving gscan results WifiNative (in frameworks) allocates a 64-element wifi_cached_scan_results array on the stack. The bcmdhd HAL can write past the end of this array if the kernel provides excess scan data. Fix the sanity check so that it terminates processing if it is out of space. Bug: chrome-os-partner:44402 Change-Id: I99a9bcb180c3aafb294b4af85727e9ec412312df --- bcmdhd/wifi_hal/gscan.cpp | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/bcmdhd/wifi_hal/gscan.cpp b/bcmdhd/wifi_hal/gscan.cpp index 8a21a0d..9f5669a 100644 --- a/bcmdhd/wifi_hal/gscan.cpp +++ b/bcmdhd/wifi_hal/gscan.cpp @@ -935,6 +935,10 @@ public: num = it2.get_u32(); ALOGV("retrieved num_results: %d", num); } else if (it2.get_type() == GSCAN_ATTRIBUTE_SCAN_RESULTS) { + if (mRetrieved >= mMax) { + ALOGW("Stored %d scans, ignoring excess results", mRetrieved); + break; + } num = it2.get_len() / sizeof(wifi_scan_result); num = min(MAX_RESULTS - mNextScanResult, num); num = min((int)MAX_AP_CACHE_PER_SCAN, num); @@ -956,9 +960,6 @@ public: &(mScanResults[mNextScanResult]), num * sizeof(wifi_scan_result)); mNextScanResult += num; mRetrieved++; - if (mRetrieved >= mMax && it.has_next()) { - ALOGW("Ignoring attributes after this scan"); - } } else { ALOGW("Ignoring invalid attribute type = %d, size = %d", it.get_type(), it.get_len()); -- cgit v1.1