From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Alisher Alikhodjaev <alisher@google.com>
Date: Fri, 18 Mar 2022 17:13:05 -0700
Subject: [PATCH] OOB read in phNciNfc_RecvMfResp()

The size of RspBuff for Mifare shall be at least 2 bytes:
Mifare Req/Rsp Id + Status

Bug: 221852424
Test: build ok
Change-Id: I3a1e10997de8d2a7cb8bbb524fc8788aaf97944e
(cherry picked from commit f0d86f7fe23499cd4c6631348618463fbc496436)
Merged-In: I3a1e10997de8d2a7cb8bbb524fc8788aaf97944e
---
 nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c
index 01d83f59..86657d53 100755
--- a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c
+++ b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c
@@ -1231,7 +1231,7 @@ phNciNfc_RecvMfResp(phNciNfc_Buff_t* RspBuffInfo,
     }
     else
     {
-        if((0 == (RspBuffInfo->wLen))
+        if(((PHNCINFC_EXTNID_SIZE + PHNCINFC_EXTNSTATUS_SIZE) > RspBuffInfo->wLen)
                 || (PH_NCINFC_STATUS_OK != wStatus)
                 || (NULL == (RspBuffInfo->pBuff))
                 )
@@ -1271,12 +1271,6 @@ phNciNfc_RecvMfResp(phNciNfc_Buff_t* RspBuffInfo,
                         status = NFCSTATUS_SUCCESS;
                         uint16_t wRecvDataSz = 0;
 
-                        if ((PHNCINFC_EXTNID_SIZE + PHNCINFC_EXTNSTATUS_SIZE) >
-                            RspBuffInfo->wLen)
-                        {
-                            android_errorWriteLog(0x534e4554, "181346550");
-                            return NFCSTATUS_FAILED;
-                        }
                         /* DataLen = TotalRecvdLen - (sizeof(RspId) + sizeof(Status)) */
                         wPldDataSize = ((RspBuffInfo->wLen) -
                             (PHNCINFC_EXTNID_SIZE + PHNCINFC_EXTNSTATUS_SIZE));