Fix ISO15693 crash with >= 255 bytes NDef message.

There is a null pointer crash if the data of block doesn't contain any NDef message data. Bug: 30240338 Change-Id: Iff54f11b76317bac21f148bf9298ae8c3201093a
author: Jizhou Liao <Jizhou.Liao@nxp.com> 2016-06-15 15:08:53 -0700
committer: Martijn Coenen <maco@google.com> 2016-07-20 10:11:05 +0200
commit: e1e11dc29f1a81d3039c0cfd395d3a1289fc2559 (patch)
tree: 551b4b7b4e137cfe98facb98dbcd4191af4a54ea
parent: 0b849e3a0517f8e0caab8812d95d6a56f8709007 (diff)
download: libnfc-nci-e1e11dc29f1a81d3039c0cfd395d3a1289fc2559.tar.gz
1 files changed, 9 insertions, 1 deletions
diff --git a/src/nfc/tags/rw_i93.c b/src/nfc/tags/rw_i93.c
index acdbcb7..cec6af9 100644
--- a/src/nfc/tags/rw_i93.c
+++ b/src/nfc/tags/rw_i93.c
@@ -1997,6 +1997,11 @@ void rw_i93_sm_read_ndef (BT_HDR *p_resp)
 
         p_i93->rw_length += p_resp->len;
     }
+    else
+    {
+        /* in case of no Ndef data included */
+        p_resp->len = 0;
+    }
 
     /* if read all of NDEF data */
     if (p_i93->rw_length >= p_i93->ndef_length)
@@ -2019,7 +2024,10 @@ void rw_i93_sm_read_ndef (BT_HDR *p_resp)
                          p_resp->len,
                          p_i93->ndef_length);
 
-        (*(rw_cb.p_cback)) (RW_I93_NDEF_READ_EVT, &rw_data);
+        if (p_resp->len > 0)
+        {
+            (*(rw_cb.p_cback)) (RW_I93_NDEF_READ_EVT, &rw_data);
+        }
 
         /* this will make read data from next block */
         p_i93->rw_offset += length;
author	Jizhou Liao <Jizhou.Liao@nxp.com>	2016-06-15 15:08:53 -0700
committer	Martijn Coenen <maco@google.com>	2016-07-20 10:11:05 +0200
commit	e1e11dc29f1a81d3039c0cfd395d3a1289fc2559 (patch)
tree	551b4b7b4e137cfe98facb98dbcd4191af4a54ea
parent	0b849e3a0517f8e0caab8812d95d6a56f8709007 (diff)
download	libnfc-nci-e1e11dc29f1a81d3039c0cfd395d3a1289fc2559.tar.gz