DivestOS/Patches/LineageOS-11.0/android_external_libnfc-nci/258165.patch

From 818a7f04e004cae09ccd62e35911b9853a02b96b Mon Sep 17 00:00:00 2001
From: George Chang <georgekgchang@google.com>
Date: Tue, 9 Jul 2019 16:17:23 +0800
Subject: [PATCH] Prevent OOB read in rw_t4t.cc part 2

Bug: 120865977
Bug: 120274615
Bug: 124462242
Test: Read T4T Tag
Change-Id: I4d70537d71442205a9456c0ece7a836fa4473558
---
 src/nfc/tags/rw_t4t.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/src/nfc/tags/rw_t4t.c b/src/nfc/tags/rw_t4t.c
index 7a7f457..29fbc02 100644
--- a/src/nfc/tags/rw_t4t.c
+++ b/src/nfc/tags/rw_t4t.c
@@ -1075,6 +1075,8 @@ static void rw_t4t_handle_error (tNFC_STATUS status, UINT8 sw1, UINT8 sw2)
 
         rw_data.t4t_sw.sw1    = sw1;
         rw_data.t4t_sw.sw2    = sw2;
+        rw_data.ndef.cur_size = 0;
+        rw_data.ndef.max_size = 0;
 
         switch (p_t4t->state)
         {
@@ -1980,6 +1982,17 @@ static void rw_t4t_data_cback (UINT8 conn_id, tNFC_CONN_EVT event, tNFC_CONN *p_
     RW_TRACE_DEBUG1 ("RW T4T state: %d", p_t4t->state);
 #endif
 
+    if (p_t4t->state != RW_T4T_STATE_IDLE &&
+        p_t4t->state != RW_T4T_STATE_PRESENCE_CHECK &&
+        p_r_apdu->len < T4T_RSP_STATUS_WORDS_SIZE)
+    {
+        RW_TRACE_DEBUG1 ("%s incorrect p_r_apdu length", __func__);
+        RW_TRACE_DEBUG0 ("0x534e4554 120865977");
+        rw_t4t_handle_error(NFC_STATUS_FAILED, 0, 0);
+        GKI_freebuf(p_r_apdu);
+        return;
+    }
+
     switch (p_t4t->state)
     {
     case RW_T4T_STATE_IDLE: