4 files changed, 79 insertions, 1 deletions

diff --git a/core/java/android/net/LinkProperties.java b/core/java/android/net/LinkProperties.java
index 75f8b5948b81..dc9a54f8ea75 100644
--- a/core/java/android/net/LinkProperties.java
+++ b/core/java/android/net/LinkProperties.java
@@ -144,6 +144,16 @@ public class LinkProperties implements Parcelable {
         return Collections.unmodifiableCollection(mLinkAddresses);
     }
 
+    /**
+     * Replaces the LinkAddresses on this link with the given collection of addresses
+     */
+    public void setLinkAddresses(Collection<LinkAddress> addresses) {
+        mLinkAddresses.clear();
+        for (LinkAddress address: addresses) {
+            addLinkAddress(address);
+        }
+    }
+
     public void addDns(InetAddress dns) {
         if (dns != null) mDnses.add(dns);
     }
@@ -198,6 +208,16 @@ public class LinkProperties implements Parcelable {
         return routes;
     }
 
+    /**
+     * Replaces the RouteInfos on this link with the given collection of RouteInfos.
+     */
+    public void setRoutes(Collection<RouteInfo> routes) {
+        mRoutes.clear();
+        for (RouteInfo route : routes) {
+            addRoute(route);
+        }
+    }
+
     public void setHttpProxy(ProxyProperties proxy) {
         mHttpProxy = proxy;
     }
diff --git a/services/java/com/android/server/wifi/WifiService.java b/services/java/com/android/server/wifi/WifiService.java
index a70978ee6c4b..851c00f25c3c 100644
--- a/services/java/com/android/server/wifi/WifiService.java
+++ b/services/java/com/android/server/wifi/WifiService.java
@@ -35,6 +35,7 @@ import android.net.wifi.WifiWatchdogStateMachine;
 import android.net.DhcpInfo;
 import android.net.DhcpResults;
 import android.net.LinkAddress;
+import android.net.LinkProperties;
 import android.net.NetworkUtils;
 import android.net.RouteInfo;
 import android.os.Binder;
@@ -470,6 +471,17 @@ public final class WifiService extends IWifiManager.Stub {
      */
     public int addOrUpdateNetwork(WifiConfiguration config) {
         enforceChangePermission();
+        // Until we have better UI so the user knows what's up we can't support undisplayable
+        // things (it's a security hole).  Even when we can support it we probably need
+        // to lock down who can modify what.  TODO - remove this when addOrUpdateNetwork
+        // restricts callers AND when the UI in settings lets users view the data AND
+        // when the VPN code is immune to specific routes.
+        if (config != null) {
+            LinkProperties lp = config.linkProperties;
+            if (lp == null || lp.equals(WifiConfiguration.stripUndisplayableConfig(lp)) == false) {
+                return -1;
+            }
+        }
         if (mWifiStateMachineChannel != null) {
             return mWifiStateMachine.syncAddOrUpdateNetwork(mWifiStateMachineChannel, config);
         } else {
diff --git a/wifi/java/android/net/wifi/WifiConfiguration.java b/wifi/java/android/net/wifi/WifiConfiguration.java
index bd8f0eb2d041..c76dc4e2736b 100644
--- a/wifi/java/android/net/wifi/WifiConfiguration.java
+++ b/wifi/java/android/net/wifi/WifiConfiguration.java
@@ -16,12 +16,17 @@
 
 package android.net.wifi;
 
+import android.net.LinkAddress;
 import android.net.LinkProperties;
+import android.net.RouteInfo;
 import android.os.Parcelable;
 import android.os.Parcel;
 import android.text.TextUtils;
 
+import java.util.ArrayList;
 import java.util.BitSet;
+import java.util.Collection;
+import java.util.Iterator;
 
 /**
  * A class representing a configured Wi-Fi network, including the
@@ -581,6 +586,44 @@ public class WifiConfiguration implements Parcelable {
         }
     }
 
+    /**
+     * We don't want to use routes other than the first default and
+     * correct direct-connect route, or addresses beyond the first as
+     * the user can't see them in the UI and malicious apps
+     * can do malicious things with them.  In particular specific routes
+     * circumvent VPNs of this era.
+     *
+     * @hide
+     */
+    public static LinkProperties stripUndisplayableConfig(LinkProperties lp) {
+        if (lp == null) return lp;
+
+        LinkProperties newLp = new LinkProperties(lp);
+        Iterator<LinkAddress> i = lp.getLinkAddresses().iterator();
+        RouteInfo directConnectRoute = null;
+        if (i.hasNext()) {
+            LinkAddress addr = i.next();
+            Collection<LinkAddress> newAddresses = new ArrayList<LinkAddress>(1);
+            newAddresses.add(addr);
+            newLp.setLinkAddresses(newAddresses);
+            directConnectRoute = new RouteInfo(addr,null);
+        }
+        boolean defaultAdded = false;
+        Collection<RouteInfo> routes = lp.getRoutes();
+        Collection<RouteInfo> newRoutes = new ArrayList<RouteInfo>(2);
+        for (RouteInfo route : routes) {
+            if (defaultAdded == false && route.isDefaultRoute()) {
+                newRoutes.add(route);
+                defaultAdded = true;
+            }
+            if (route.equals(directConnectRoute)) {
+                newRoutes.add(route);
+            }
+        }
+        newLp.setRoutes(newRoutes);
+        return newLp;
+    }
+
     /** Implement the Parcelable interface {@hide} */
     public void writeToParcel(Parcel dest, int flags) {
         dest.writeInt(networkId);
diff --git a/wifi/java/android/net/wifi/WifiStateMachine.java b/wifi/java/android/net/wifi/WifiStateMachine.java
index 3a7834d4fd17..4fbfb0f7a06c 100644
--- a/wifi/java/android/net/wifi/WifiStateMachine.java
+++ b/wifi/java/android/net/wifi/WifiStateMachine.java
@@ -1587,10 +1587,12 @@ public class WifiStateMachine extends StateMachine {
     private void configureLinkProperties() {
         if (mWifiConfigStore.isUsingStaticIp(mLastNetworkId)) {
             mLinkProperties = mWifiConfigStore.getLinkProperties(mLastNetworkId);
+            mLinkProperties = WifiConfiguration.stripUndisplayableConfig(mLinkProperties);
         } else {
             synchronized (mDhcpResultsLock) {
                 if ((mDhcpResults != null) && (mDhcpResults.linkProperties != null)) {
-                    mLinkProperties = mDhcpResults.linkProperties;
+                    mLinkProperties = WifiConfiguration.stripUndisplayableConfig(
+                        mDhcpResults.linkProperties);
                 }
             }
             mLinkProperties.setHttpProxy(mWifiConfigStore.getProxyProperties(mLastNetworkId));
@@ -1831,6 +1833,7 @@ public class WifiStateMachine extends StateMachine {
         if (getNetworkDetailedState() == DetailedState.CONNECTED) {
             //DHCP renewal in connected state
             linkProperties.setHttpProxy(mWifiConfigStore.getProxyProperties(mLastNetworkId));
+            linkProperties = WifiConfiguration.stripUndisplayableConfig(linkProperties);
             if (!linkProperties.equals(mLinkProperties)) {
                 if (DBG) {
                     log("Link configuration changed for netId: " + mLastNetworkId