diff options
author | Ruchi Kandoi <kandoiruchi@google.com> | 2019-01-24 14:45:55 -0800 |
---|---|---|
committer | JP Sugarbroad <jpsugar@google.com> | 2019-02-12 13:10:19 -0800 |
commit | 7dd06ddd7cd814e81ec03075330cbc7edc92a3b2 (patch) | |
tree | bf5916cfc4a634fd1b550450048cd1b344aa7098 | |
parent | c9b6ad46483754fb28fc7b6a5a64a94c67897bce (diff) | |
download | libnfc-nci-nougat-mr1.8-release.tar.gz |
Prevent OOB read in rw_i93_process_sys_info()nougat-mr1.8-release
Test: Nfc Enable/Disable
Bug: 121259048
Change-Id: Iad8809e5d270f1049b3738891ef4b44346084047
(cherry picked from commit 8e8de2b13b00dd2ad9ac61e773b8a1c2573759d6)
-rw-r--r-- | src/nfc/tags/rw_i93.c | 44 |
1 files changed, 38 insertions, 6 deletions
diff --git a/src/nfc/tags/rw_i93.c b/src/nfc/tags/rw_i93.c index 4fcf4ac..8884970 100644 --- a/src/nfc/tags/rw_i93.c +++ b/src/nfc/tags/rw_i93.c @@ -204,7 +204,7 @@ void rw_i93_get_product_version (UINT8 *p_uid) ** Returns FALSE if retrying with protocol extension flag ** *******************************************************************************/ -BOOLEAN rw_i93_process_sys_info (UINT8* p_data) +BOOLEAN rw_i93_process_sys_info (UINT8* p_data, UINT16 length) { UINT8 *p = p_data; tRW_I93_CB *p_i93 = &rw_cb.tcb.i93; @@ -212,38 +212,70 @@ BOOLEAN rw_i93_process_sys_info (UINT8* p_data) RW_TRACE_DEBUG0 ("rw_i93_process_sys_info ()"); + if (length < (I93_UID_BYTE_LEN + 1)) + { + android_errorWriteLog (0x534e4554, "121259048"); + return FALSE; + } STREAM_TO_UINT8 (p_i93->info_flags, p); + length--; p_uid = uid; STREAM_TO_ARRAY8 (p_uid, p); + length -= I93_UID_BYTE_LEN; if (p_i93->info_flags & I93_INFO_FLAG_DSFID) { + if (length == 0) + { + android_errorWriteLog (0x534e4554, "121259048"); + return FALSE; + } STREAM_TO_UINT8 (p_i93->dsfid, p); + length--; } if (p_i93->info_flags & I93_INFO_FLAG_AFI) { + if (length == 0) + { + android_errorWriteLog (0x534e4554, "121259048"); + return FALSE; + } STREAM_TO_UINT8 (p_i93->afi, p); + length--; } if (p_i93->info_flags & I93_INFO_FLAG_MEM_SIZE) { - if (p_i93->intl_flags & RW_I93_FLAG_16BIT_NUM_BLOCK) + BOOLEAN block_16_bit = p_i93->intl_flags & RW_I93_FLAG_16BIT_NUM_BLOCK; + if (block_16_bit && length > 2) { STREAM_TO_UINT16 (p_i93->num_block, p); + length -= 2; } - else + else if (!block_16_bit && length > 1) { STREAM_TO_UINT8 (p_i93->num_block, p); + length--; + } + else { + android_errorWriteLog(0x534e4554, "121259048"); + return FALSE; } /* it is one less than actual number of bytes */ p_i93->num_block += 1; STREAM_TO_UINT8 (p_i93->block_size, p); + length--; /* it is one less than actual number of blocks */ p_i93->block_size = (p_i93->block_size & 0x1F) + 1; } if (p_i93->info_flags & I93_INFO_FLAG_IC_REF) { + if (length == 0) + { + android_errorWriteLog(0x534e4554, "121259048"); + return FALSE; + } STREAM_TO_UINT8 (p_i93->ic_reference, p); /* clear existing UID to set product version */ @@ -448,7 +480,7 @@ void rw_i93_send_to_upper (BT_HDR *p_resp) case I93_CMD_GET_SYS_INFO: - if (rw_i93_process_sys_info (p)) + if (rw_i93_process_sys_info (p, length)) { rw_data.i93_sys_info.status = NFC_STATUS_OK; rw_data.i93_sys_info.info_flags = p_i93->info_flags; @@ -1568,7 +1600,7 @@ void rw_i93_sm_detect_ndef (BT_HDR *p_resp) p_i93->block_size = 0; p_i93->num_block = 0; - if (!rw_i93_process_sys_info (p)) + if (!rw_i93_process_sys_info (p, length)) { /* retrying with protocol extension flag */ break; @@ -2457,7 +2489,7 @@ void rw_i93_sm_format (BT_HDR *p_resp) p_i93->block_size = 0; p_i93->num_block = 0; - if (!rw_i93_process_sys_info (p)) + if (!rw_i93_process_sys_info (p, length)) { /* retrying with protocol extension flag */ break; |