From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Alisher Alikhodjaev <alisher@google.com>
Date: Fri, 18 Mar 2022 17:13:05 -0700
Subject: [PATCH] OOB read in phNciNfc_RecvMfResp()

The size of RspBuff for Mifare shall be at least 2 bytes:
Mifare Req/Rsp Id + Status

Bug: 221852424
Test: build ok
Change-Id: I3a1e10997de8d2a7cb8bbb524fc8788aaf97944e
(cherry picked from commit f0d86f7fe23499cd4c6631348618463fbc496436)
Merged-In: I3a1e10997de8d2a7cb8bbb524fc8788aaf97944e
---
 nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

diff --git a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c
index d3d78a03..0ee2314d 100755
--- a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c
+++ b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c
@@ -1230,7 +1230,7 @@ phNciNfc_RecvMfResp(phNciNfc_Buff_t* RspBuffInfo,
     }
     else
     {
-        if((0 == (RspBuffInfo->wLen))
+        if(((PHNCINFC_EXTNID_SIZE + PHNCINFC_EXTNSTATUS_SIZE) > RspBuffInfo->wLen)
                 || (PH_NCINFC_STATUS_OK != wStatus)
                 || (NULL == (RspBuffInfo->pBuff))
                 )
@@ -1250,13 +1250,6 @@ phNciNfc_RecvMfResp(phNciNfc_Buff_t* RspBuffInfo,
                     {
                         status = NFCSTATUS_SUCCESS;
 
-                        if ((PHNCINFC_EXTNID_SIZE + PHNCINFC_EXTNSTATUS_SIZE) >
-                            RspBuffInfo->wLen)
-                        {
-                            android_errorWriteLog(0x534e4554, "181346550");
-                            return NFCSTATUS_FAILED;
-                        }
-
                         /* DataLen = TotalRecvdLen - (sizeof(RspId) + sizeof(Status)) */
                         wPldDataSize = ((RspBuffInfo->wLen) -
                             (PHNCINFC_EXTNID_SIZE + PHNCINFC_EXTNSTATUS_SIZE));