diff options
author | fang.x.chen <fang.x.chen@sonymobile.com> | 2016-11-07 12:31:10 +0900 |
---|---|---|
committer | Andre Eisenbach <eisenbach@google.com> | 2016-12-06 18:22:38 +0000 |
commit | cba7232db14f6ffceb6813315177ee99c422e343 (patch) | |
tree | 038ab28cca81313acf8764bf629ba1ad7e687dcb | |
parent | c99d11b183159f3f72f3c1a1b241ce3983a292dd (diff) | |
download | libnfc-nci-cba7232db14f6ffceb6813315177ee99c422e343.tar.gz |
Fix native crash in nfc_ncif_proc_activate
The destination of memcpy is allocated with a predetermined maximum
length, but in some cases the length of information being copied is
greater than the maximum length of the destination.
This is the root cause of crash.
Add length check before memcpy to avoid memory overflow
Test: Repeat reading and writing tag
Bug: 32688507
Change-Id: I09ee3c734e9be38a35b1d48679d74e42e0432d78
-rw-r--r-- | src/nfc/nfc/nfc_ncif.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/src/nfc/nfc/nfc_ncif.c b/src/nfc/nfc/nfc_ncif.c index 06c12bb..2329933 100644 --- a/src/nfc/nfc/nfc_ncif.c +++ b/src/nfc/nfc/nfc_ncif.c @@ -839,6 +839,8 @@ void nfc_ncif_proc_activate (UINT8 *p, UINT8 len) pp++; /* TC */ } p_pa_iso->his_byte_len = (UINT8) (p_pa_iso->ats_res_len - (pp - p_pa_iso->ats_res)); + if (p_pa_iso->his_byte_len > NFC_MAX_HIS_BYTES_LEN) + p_pa_iso->his_byte_len = NFC_MAX_HIS_BYTES_LEN; memcpy (p_pa_iso->his_byte, pp, p_pa_iso->his_byte_len); break; |