mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-24 23:19:31 -05:00
60 lines
2.0 KiB
Diff
60 lines
2.0 KiB
Diff
From 3b4afbcac25aed96d157b05921077ce83f05b518 Mon Sep 17 00:00:00 2001
|
|
From: George Chang <georgekgchang@google.com>
|
|
Date: Fri, 16 Aug 2019 20:37:23 +0800
|
|
Subject: [PATCH] Prevent OOB in rw_i93.cc
|
|
|
|
Bug: 139188579
|
|
Test: Read/Write/Lock Type 5 Tag
|
|
Change-Id: Ife24f097c926184019038e559cbd806b289911c6
|
|
Exempt-From-Owner-Approval: Old Owners are all transferred to another BU
|
|
(cherry picked from commit 4025e2b929905f9b751f3612a6ee26cd5e599417)
|
|
---
|
|
src/nfc/tags/rw_i93.c | 20 ++++++++++++++++++--
|
|
1 file changed, 18 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/src/nfc/tags/rw_i93.c b/src/nfc/tags/rw_i93.c
|
|
index 4713d8f..7d6a3d7 100644
|
|
--- a/src/nfc/tags/rw_i93.c
|
|
+++ b/src/nfc/tags/rw_i93.c
|
|
@@ -41,6 +41,8 @@
|
|
#define RW_I93_READ_MULTI_BLOCK_SIZE 128 /* max reading data if read multi block is supported */
|
|
#define RW_I93_FORMAT_DATA_LEN 8 /* CC, zero length NDEF, Terminator TLV */
|
|
#define RW_I93_GET_MULTI_BLOCK_SEC_SIZE 512 /* max getting lock status if get multi block sec is supported */
|
|
+/*Capability Container CC Size */
|
|
+#define RW_I93_CC_SIZE 4
|
|
|
|
/* main state */
|
|
enum
|
|
@@ -1630,8 +1632,15 @@ void rw_i93_sm_detect_ndef (BT_HDR *p_resp)
|
|
|
|
case RW_I93_SUBSTATE_WAIT_CC:
|
|
|
|
- /* assume block size is more than 4 */
|
|
- STREAM_TO_ARRAY (cc, p, 4);
|
|
+ if (length < RW_I93_CC_SIZE)
|
|
+ {
|
|
+ android_errorWriteLog(0x534e4554, "139188579");
|
|
+ rw_i93_handle_error(NFC_STATUS_FAILED);
|
|
+ return;
|
|
+ }
|
|
+
|
|
+ /* assume block size is more than RW_I93_CC_SIZE 4 */
|
|
+ STREAM_TO_ARRAY(cc, p, RW_I93_CC_SIZE);
|
|
|
|
status = NFC_STATUS_FAILED;
|
|
|
|
@@ -2863,6 +2872,13 @@ void rw_i93_sm_set_read_only (BT_HDR *p_resp)
|
|
{
|
|
case RW_I93_SUBSTATE_WAIT_CC:
|
|
|
|
+ if (length < RW_I93_CC_SIZE)
|
|
+ {
|
|
+ android_errorWriteLog(0x534e4554, "139188579");
|
|
+ rw_i93_handle_error(NFC_STATUS_FAILED);
|
|
+ return;
|
|
+ }
|
|
+
|
|
/* mark CC as read-only */
|
|
*(p+1) |= I93_ICODE_CC_READ_ONLY;
|
|
|