Add sanity check for mac address & WPS device type A bunch of Security Report bug fixes. Added sanity check for mac address length in p2p and SoftAp functions in supplicant/hostapd AIDL implementation. Also added sanity check for WPS device type length in setWpsDeviceType() function. Checks are added to avoid out of bound read operation in core supplicant/ hostapd code. Bug: 257029326 Bug: 257029925 Bug: 256818945 Bug: 257030100 Bug: 257030027 Bug: 257029965 Bug: 257029915 Bug: 257029912 Bug: 257029780 Bug: 257029812 Test: Manual - P2P & SoftAp connect/disconnect tests Change-Id: I2ddd4dea01ac03bd379b465f814e5f8c39cc02a9

commit: 1a360898757d3bd1a7c3714b1ee51d702057c9b9 [log] [tgz]
author: Sunil Ravi <sunilravi@google.com> Tue Nov 29 20:16:01 2022 +0000
committer: Sunil Ravi <sunilravi@google.com> Tue Nov 29 20:45:21 2022 +0000
tree: d0e80676a80d650b88886c4736bc39ec9f115f24
parent: ac5ba6bf111185610c688fb885e45d67f1a567fa [diff] [blame]
diff --git a/hostapd/aidl/hostapd.cpp b/hostapd/aidl/hostapd.cpp
index f2200d6..35bfbe7 100644
--- a/hostapd/aidl/hostapd.cpp
+++ b/hostapd/aidl/hostapd.cpp

@@ -702,6 +702,9 @@
 			   const std::vector<uint8_t>& client_address,
 			   const uint16_t reason_code) {
 	struct sta_info *sta;
+	if (client_address.size() != ETH_ALEN) {
+		return false;
+	}
 	for (sta = hapd->sta_list; sta; sta = sta->next) {
 		int res;
 		res = memcmp(sta->addr, client_address.data(), ETH_ALEN);
commit	1a360898757d3bd1a7c3714b1ee51d702057c9b9	[log] [tgz]
author	Sunil Ravi <sunilravi@google.com>	Tue Nov 29 20:16:01 2022 +0000
committer	Sunil Ravi <sunilravi@google.com>	Tue Nov 29 20:45:21 2022 +0000
tree	d0e80676a80d650b88886c4736bc39ec9f115f24
parent	ac5ba6bf111185610c688fb885e45d67f1a567fa [diff] [blame]