From 3b4afbcac25aed96d157b05921077ce83f05b518 Mon Sep 17 00:00:00 2001 From: George Chang Date: Fri, 16 Aug 2019 20:37:23 +0800 Subject: [PATCH] Prevent OOB in rw_i93.cc Bug: 139188579 Test: Read/Write/Lock Type 5 Tag Change-Id: Ife24f097c926184019038e559cbd806b289911c6 Exempt-From-Owner-Approval: Old Owners are all transferred to another BU (cherry picked from commit 4025e2b929905f9b751f3612a6ee26cd5e599417) --- src/nfc/tags/rw_i93.c | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/src/nfc/tags/rw_i93.c b/src/nfc/tags/rw_i93.c index 4713d8f..7d6a3d7 100644 --- a/src/nfc/tags/rw_i93.c +++ b/src/nfc/tags/rw_i93.c @@ -41,6 +41,8 @@ #define RW_I93_READ_MULTI_BLOCK_SIZE 128 /* max reading data if read multi block is supported */ #define RW_I93_FORMAT_DATA_LEN 8 /* CC, zero length NDEF, Terminator TLV */ #define RW_I93_GET_MULTI_BLOCK_SEC_SIZE 512 /* max getting lock status if get multi block sec is supported */ +/*Capability Container CC Size */ +#define RW_I93_CC_SIZE 4 /* main state */ enum @@ -1630,8 +1632,15 @@ void rw_i93_sm_detect_ndef (BT_HDR *p_resp) case RW_I93_SUBSTATE_WAIT_CC: - /* assume block size is more than 4 */ - STREAM_TO_ARRAY (cc, p, 4); + if (length < RW_I93_CC_SIZE) + { + android_errorWriteLog(0x534e4554, "139188579"); + rw_i93_handle_error(NFC_STATUS_FAILED); + return; + } + + /* assume block size is more than RW_I93_CC_SIZE 4 */ + STREAM_TO_ARRAY(cc, p, RW_I93_CC_SIZE); status = NFC_STATUS_FAILED; @@ -2863,6 +2872,13 @@ void rw_i93_sm_set_read_only (BT_HDR *p_resp) { case RW_I93_SUBSTATE_WAIT_CC: + if (length < RW_I93_CC_SIZE) + { + android_errorWriteLog(0x534e4554, "139188579"); + rw_i93_handle_error(NFC_STATUS_FAILED); + return; + } + /* mark CC as read-only */ *(p+1) |= I93_ICODE_CC_READ_ONLY;