Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5039b609 authored by Etan Cohen's avatar Etan Cohen Committed by Bryan Ferris
Browse files

[AWARE] Protect string copy against buffer overflow 

Fixes: 143789898
Test: (Unit) atest com.android.server.wifi
Test: ACTS ThroughputTest:test_iperf_single_ndp_aware_only_ib
Test: (VTS) atest VtsHalWifiApV1_4TargetTest
Change-Id: I5b8aa1d9a6388fe20cb7e1cd6a76d5e59e14d099
parent df3648e4

wifi/1.3/default/hidl_struct_util.cpp

+14 −2
Original line number Original line Diff line number Diff line
@@ -1819,7 +1819,13 @@ bool convertHidlNanDataPathInitiatorRequestToLegacy( 
        convertHidlNanDataPathChannelCfgToLegacy(

        convertHidlNanDataPathChannelCfgToLegacy(

            hidl_request.channelRequestType);

            hidl_request.channelRequestType);

    legacy_request->channel = hidl_request.channel;

    legacy_request->channel = hidl_request.channel;

    strcpy(legacy_request->ndp_iface, hidl_request.ifaceName.c_str());

    if (strnlen(hidl_request.ifaceName.c_str(), IFNAMSIZ + 1) == IFNAMSIZ + 1) {

        LOG(ERROR) << "convertHidlNanDataPathInitiatorRequestToLegacy: "

                      "ifaceName too long";

        return false;

    }

    strncpy(legacy_request->ndp_iface, hidl_request.ifaceName.c_str(),

            IFNAMSIZ + 1);

    legacy_request->ndp_cfg.security_cfg =

    legacy_request->ndp_cfg.security_cfg =

        (hidl_request.securityConfig.securityType !=

        (hidl_request.securityConfig.securityType !=

         NanDataPathSecurityType::OPEN)

         NanDataPathSecurityType::OPEN)
@@ -1900,7 +1906,13 @@ bool convertHidlNanDataPathIndicationResponseToLegacy( 
                                   ? legacy_hal::NAN_DP_REQUEST_ACCEPT

                                   ? legacy_hal::NAN_DP_REQUEST_ACCEPT

                                   : legacy_hal::NAN_DP_REQUEST_REJECT;

                                   : legacy_hal::NAN_DP_REQUEST_REJECT;

    legacy_request->ndp_instance_id = hidl_request.ndpInstanceId;

    legacy_request->ndp_instance_id = hidl_request.ndpInstanceId;

    strcpy(legacy_request->ndp_iface, hidl_request.ifaceName.c_str());

    if (strnlen(hidl_request.ifaceName.c_str(), IFNAMSIZ + 1) == IFNAMSIZ + 1) {

        LOG(ERROR) << "convertHidlNanDataPathIndicationResponseToLegacy: "

                      "ifaceName too long";

        return false;

    }

    strncpy(legacy_request->ndp_iface, hidl_request.ifaceName.c_str(),

            IFNAMSIZ + 1);

    legacy_request->ndp_cfg.security_cfg =

    legacy_request->ndp_cfg.security_cfg =

        (hidl_request.securityConfig.securityType !=

        (hidl_request.securityConfig.securityType !=

         NanDataPathSecurityType::OPEN)

         NanDataPathSecurityType::OPEN)