From 818a7f04e004cae09ccd62e35911b9853a02b96b Mon Sep 17 00:00:00 2001 From: George Chang Date: Tue, 9 Jul 2019 16:17:23 +0800 Subject: [PATCH] Prevent OOB read in rw_t4t.cc part 2 Bug: 120865977 Bug: 120274615 Bug: 124462242 Test: Read T4T Tag Change-Id: I4d70537d71442205a9456c0ece7a836fa4473558 --- src/nfc/tags/rw_t4t.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/src/nfc/tags/rw_t4t.c b/src/nfc/tags/rw_t4t.c index 7a7f457..29fbc02 100644 --- a/src/nfc/tags/rw_t4t.c +++ b/src/nfc/tags/rw_t4t.c @@ -1075,6 +1075,8 @@ static void rw_t4t_handle_error (tNFC_STATUS status, UINT8 sw1, UINT8 sw2) rw_data.t4t_sw.sw1 = sw1; rw_data.t4t_sw.sw2 = sw2; + rw_data.ndef.cur_size = 0; + rw_data.ndef.max_size = 0; switch (p_t4t->state) { @@ -1980,6 +1982,17 @@ static void rw_t4t_data_cback (UINT8 conn_id, tNFC_CONN_EVT event, tNFC_CONN *p_ RW_TRACE_DEBUG1 ("RW T4T state: %d", p_t4t->state); #endif + if (p_t4t->state != RW_T4T_STATE_IDLE && + p_t4t->state != RW_T4T_STATE_PRESENCE_CHECK && + p_r_apdu->len < T4T_RSP_STATUS_WORDS_SIZE) + { + RW_TRACE_DEBUG1 ("%s incorrect p_r_apdu length", __func__); + RW_TRACE_DEBUG0 ("0x534e4554 120865977"); + rw_t4t_handle_error(NFC_STATUS_FAILED, 0, 0); + GKI_freebuf(p_r_apdu); + return; + } + switch (p_t4t->state) { case RW_T4T_STATE_IDLE: