diff options
author | Martijn Coenen <maco@google.com> | 2011-05-31 16:03:26 -0700 |
---|---|---|
committer | Martijn Coenen <maco@google.com> | 2011-05-31 19:06:59 -0700 |
commit | 0aa1017f9183bca752c95af72f73120e102ab2d3 (patch) | |
tree | 6abf9c992f13b966d15e8b9783953704e75012ea | |
parent | 1b755dea38cc428a4adb8b8954bbafaa9c0441fb (diff) | |
download | base-0aa1017f9183bca752c95af72f73120e102ab2d3.tar.gz |
Prevent allocation overflows by corrupt NDEF records.
Basic sanity check for the length fields in NdefRecord; this prevents
malformed NdefRecords from crashing the vm and the entire NFC service
with it.
Bug: 4165324
Change-Id: I67b341d445d6647cb76cc24ea49afaf77de0610e
-rw-r--r-- | core/jni/android_nfc_NdefMessage.cpp | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/core/jni/android_nfc_NdefMessage.cpp b/core/jni/android_nfc_NdefMessage.cpp index 9beef2a97a5e..aff8aa6679c3 100644 --- a/core/jni/android_nfc_NdefMessage.cpp +++ b/core/jni/android_nfc_NdefMessage.cpp @@ -102,6 +102,19 @@ static jint android_nfc_NdefMessage_parseNdefMessage(JNIEnv *e, jobject o, } TRACE("phFriNfc_NdefRecord_Parse() returned 0x%04x", status); + // We don't exactly know what *is* a valid length, but a simple + // sanity check is to make sure that the length of the header + // plus all fields does not exceed raw_msg_size. The min length + // of the header is 3 bytes: TNF, Type Length, Payload Length + // (ID length field is optional!) + uint64_t indicatedMsgLength = 3 + record.TypeLength + record.IdLength + + (uint64_t)record.PayloadLength; + if (indicatedMsgLength > + (uint64_t)raw_msg_size) { + LOGE("phFri_NdefRecord_Parse: invalid length field"); + goto end; + } + type = e->NewByteArray(record.TypeLength); if (type == NULL) { LOGD("NFC_Set Record Type Error\n"); |