diff options
author | Jack Yu <jackcwyu@google.com> | 2019-01-30 15:46:03 +0800 |
---|---|---|
committer | JP Sugarbroad <jpsugar@google.com> | 2019-02-12 13:10:23 -0800 |
commit | a0ffb242233247f657a6af3ea26cd5272d20a359 (patch) | |
tree | 9051b4df1e9d14cbf5847e4d95111d072dc2dbd9 | |
parent | eb7993955684d5dff8c166c6a5c35617f9efca3d (diff) | |
download | libnfc-nci-a0ffb242233247f657a6af3ea26cd5272d20a359.tar.gz |
Prevent OOB error in rw_i93_sm_update_ndef()
Bug: 122320256
Test: NFC tag reading
Change-Id: I6b57b186c8b4c793e05d646286ed8155dc460bf5
(cherry picked from commit 8a433fd5db78b81fcfff78460d2e02c820ddc4cd)
-rw-r--r-- | src/nfc/tags/rw_i93.c | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/src/nfc/tags/rw_i93.c b/src/nfc/tags/rw_i93.c index d883d96..4fcf4ac 100644 --- a/src/nfc/tags/rw_i93.c +++ b/src/nfc/tags/rw_i93.c @@ -2083,6 +2083,12 @@ void rw_i93_sm_update_ndef (BT_HDR *p_resp) RW_TRACE_DEBUG1 ("rw_i93_sm_update_ndef () sub_state:0x%x", p_i93->sub_state); #endif + if (length == 0 || p_i93->block_size > I93_MAX_BLOCK_LENGH) { + android_errorWriteLog(0x534e4554, "122320256"); + rw_i93_handle_error (NFC_STATUS_FAILED); + return; + } + STREAM_TO_UINT8 (flags, p); length--; @@ -2112,6 +2118,12 @@ void rw_i93_sm_update_ndef (BT_HDR *p_resp) /* get offset of length field */ length_offset = (p_i93->ndef_tlv_start_offset + 1) % p_i93->block_size; + if (length < length_offset) { + android_errorWriteLog(0x534e4554, "122320256"); + rw_i93_handle_error (NFC_STATUS_FAILED); + return; + } + /* set length to zero */ *(p + length_offset) = 0x00; @@ -2130,6 +2142,12 @@ void rw_i93_sm_update_ndef (BT_HDR *p_resp) /* write the first part of NDEF in the same block */ for ( ; xx < p_i93->block_size; xx++) { + if (xx > length || p_i93->rw_length > p_i93->ndef_length) { + android_errorWriteLog(0x534e4554, "122320256"); + rw_i93_handle_error (NFC_STATUS_FAILED); + return; + } + if (p_i93->rw_length < p_i93->ndef_length) { *(p + xx) = *(p_i93->p_update_data + p_i93->rw_length++); @@ -2305,6 +2323,11 @@ void rw_i93_sm_update_ndef (BT_HDR *p_resp) /* update length field within the read block */ for (xx = length_offset; xx < p_i93->block_size; xx++) { + if (xx > length) { + android_errorWriteLog(0x534e4554, "122320256"); + rw_i93_handle_error (NFC_STATUS_FAILED); + return; + } if (p_i93->rw_length == 3) *(p + xx) = 0xFF; else if (p_i93->rw_length == 2) |