DivestOS/Patches/LineageOS-15.1/android_packages_apps_Nfc/332455-backport.patch
Tad ebdf629cbc 15.1 ASB work
Compile tested

Signed-off-by: Tad <tad@spotco.us>
2022-08-12 21:10:31 -04:00

44 lines
1.9 KiB
Diff

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Alisher Alikhodjaev <alisher@google.com>
Date: Fri, 18 Mar 2022 17:13:05 -0700
Subject: [PATCH] OOB read in phNciNfc_RecvMfResp()
The size of RspBuff for Mifare shall be at least 2 bytes:
Mifare Req/Rsp Id + Status
Bug: 221852424
Test: build ok
Change-Id: I3a1e10997de8d2a7cb8bbb524fc8788aaf97944e
(cherry picked from commit f0d86f7fe23499cd4c6631348618463fbc496436)
Merged-In: I3a1e10997de8d2a7cb8bbb524fc8788aaf97944e
---
nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c | 8 +-------
1 file changed, 1 insertion(+), 7 deletions(-)
diff --git a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c
index 01d83f59..86657d53 100755
--- a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c
+++ b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c
@@ -1231,7 +1231,7 @@ phNciNfc_RecvMfResp(phNciNfc_Buff_t* RspBuffInfo,
}
else
{
- if((0 == (RspBuffInfo->wLen))
+ if(((PHNCINFC_EXTNID_SIZE + PHNCINFC_EXTNSTATUS_SIZE) > RspBuffInfo->wLen)
|| (PH_NCINFC_STATUS_OK != wStatus)
|| (NULL == (RspBuffInfo->pBuff))
)
@@ -1271,12 +1271,6 @@ phNciNfc_RecvMfResp(phNciNfc_Buff_t* RspBuffInfo,
status = NFCSTATUS_SUCCESS;
uint16_t wRecvDataSz = 0;
- if ((PHNCINFC_EXTNID_SIZE + PHNCINFC_EXTNSTATUS_SIZE) >
- RspBuffInfo->wLen)
- {
- android_errorWriteLog(0x534e4554, "181346550");
- return NFCSTATUS_FAILED;
- }
/* DataLen = TotalRecvdLen - (sizeof(RspId) + sizeof(Status)) */
wPldDataSize = ((RspBuffInfo->wLen) -
(PHNCINFC_EXTNID_SIZE + PHNCINFC_EXTNSTATUS_SIZE));