DivestOS/Patches/LineageOS-11.0/android_external_libnfc-nci/264094.patch

From 3b4afbcac25aed96d157b05921077ce83f05b518 Mon Sep 17 00:00:00 2001
From: George Chang <georgekgchang@google.com>
Date: Fri, 16 Aug 2019 20:37:23 +0800
Subject: [PATCH] Prevent OOB in rw_i93.cc

Bug: 139188579
Test: Read/Write/Lock Type 5 Tag
Change-Id: Ife24f097c926184019038e559cbd806b289911c6
Exempt-From-Owner-Approval: Old Owners are all transferred to another BU
(cherry picked from commit 4025e2b929905f9b751f3612a6ee26cd5e599417)
---
 src/nfc/tags/rw_i93.c | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/src/nfc/tags/rw_i93.c b/src/nfc/tags/rw_i93.c
index 4713d8f..7d6a3d7 100644
--- a/src/nfc/tags/rw_i93.c
+++ b/src/nfc/tags/rw_i93.c
@@ -41,6 +41,8 @@
 #define RW_I93_READ_MULTI_BLOCK_SIZE            128     /* max reading data if read multi block is supported */
 #define RW_I93_FORMAT_DATA_LEN                  8       /* CC, zero length NDEF, Terminator TLV              */
 #define RW_I93_GET_MULTI_BLOCK_SEC_SIZE         512     /* max getting lock status if get multi block sec is supported */
+/*Capability Container CC Size */
+#define RW_I93_CC_SIZE 4
 
 /* main state */
 enum
@@ -1630,8 +1632,15 @@ void rw_i93_sm_detect_ndef (BT_HDR *p_resp)
 
     case RW_I93_SUBSTATE_WAIT_CC:
 
-        /* assume block size is more than 4 */
-        STREAM_TO_ARRAY (cc, p, 4);
+        if (length < RW_I93_CC_SIZE)
+        {
+            android_errorWriteLog(0x534e4554, "139188579");
+            rw_i93_handle_error(NFC_STATUS_FAILED);
+            return;
+        }
+
+        /* assume block size is more than RW_I93_CC_SIZE 4 */
+        STREAM_TO_ARRAY(cc, p, RW_I93_CC_SIZE);
 
         status = NFC_STATUS_FAILED;
 
@@ -2863,6 +2872,13 @@ void rw_i93_sm_set_read_only (BT_HDR *p_resp)
     {
     case RW_I93_SUBSTATE_WAIT_CC:
 
+        if (length < RW_I93_CC_SIZE)
+        {
+            android_errorWriteLog(0x534e4554, "139188579");
+            rw_i93_handle_error(NFC_STATUS_FAILED);
+            return;
+        }
+
         /* mark CC as read-only */
         *(p+1) |= I93_ICODE_CC_READ_ONLY;