wifi_hal: Fix array overflow retrieving gscan results
Kevin Cernekee [Sun, 30 Aug 2015 17:42:04 +0000 (10:42 -0700)]
WifiNative (in frameworks) allocates a 64-element wifi_cached_scan_results
array on the stack.  The bcmdhd HAL can write past the end of this array
if the kernel provides excess scan data.  Fix the sanity check so that
it terminates processing if it is out of space.

Bug: chrome-os-partner:44402
Change-Id: I99a9bcb180c3aafb294b4af85727e9ec412312df

bcmdhd/wifi_hal/gscan.cpp

index 8a21a0d..9f5669a 100644 (file)
@@ -935,6 +935,10 @@ public:
                         num = it2.get_u32();
                         ALOGV("retrieved num_results: %d", num);
                     } else if (it2.get_type() == GSCAN_ATTRIBUTE_SCAN_RESULTS) {
+                        if (mRetrieved >= mMax) {
+                            ALOGW("Stored %d scans, ignoring excess results", mRetrieved);
+                            break;
+                        }
                         num = it2.get_len() / sizeof(wifi_scan_result);
                         num = min(MAX_RESULTS - mNextScanResult, num);
                         num = min((int)MAX_AP_CACHE_PER_SCAN, num);
@@ -956,9 +960,6 @@ public:
                                 &(mScanResults[mNextScanResult]), num * sizeof(wifi_scan_result));
                         mNextScanResult += num;
                         mRetrieved++;
-                        if (mRetrieved >= mMax && it.has_next()) {
-                            ALOGW("Ignoring attributes after this scan");
-                        }
                     } else {
                         ALOGW("Ignoring invalid attribute type = %d, size = %d",
                                 it.get_type(), it.get_len());