diff options
author | Ruchi Kandoi <kandoiruchi@google.com> | 2018-10-17 16:14:08 -0700 |
---|---|---|
committer | Rohit Yengisetty <rngy@google.com> | 2018-11-05 13:52:51 -0800 |
commit | adc729e563f5b63595de0c129e3c07dcbac22cfa (patch) | |
tree | 5c56dbb4c102819d29bc4a0eaa172a52b83e8efc | |
parent | 069433334213e05fc99473c694a64868a6510706 (diff) | |
download | libnfc-nci-adc729e563f5b63595de0c129e3c07dcbac22cfa.tar.gz |
Prevent OOB error in nfc_ncif_proc_get_routing()
Test: Tag reading; Card Emulation
Bug: 117554809
Change-Id: Ib49af2eadf870f030a6cddeec390dc498bd5078c
(cherry picked from commit 8c29aa84918b79d3bad0a68430a2dfbeec41bde6)
-rw-r--r-- | src/nfc/nfc/nfc_ncif.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/src/nfc/nfc/nfc_ncif.c b/src/nfc/nfc/nfc_ncif.c index 2e2c14f..5719621 100644 --- a/src/nfc/nfc/nfc_ncif.c +++ b/src/nfc/nfc/nfc_ncif.c @@ -24,8 +24,10 @@ * (callback). On the transmit side, it manages the command transmission. * ******************************************************************************/ +#include <log/log.h> #include <stdlib.h> #include <string.h> + #include "nfc_target.h" #if NFC_INCLUDED == TRUE @@ -1171,8 +1173,13 @@ void nfc_ncif_proc_get_routing (UINT8 *p, UINT8 len) { tl = *(p+1); tl += NFC_TL_SIZE; - STREAM_TO_ARRAY (pn, p, tl); evt_data.tlv_size += tl; + if (evt_data.tlv_size > NFC_MAX_EE_TLV_SIZE) { + android_errorWriteLog(0x534e4554, "117554809"); + NFC_TRACE_ERROR1("%s Invalid data format", __func__); + return; + } + STREAM_TO_ARRAY (pn, p, tl); pn += tl; } (*nfc_cb.p_resp_cback) (NFC_GET_ROUTING_REVT, (tNFC_RESPONSE *) &evt_data); |