diff options
| author | George Chang <georgekgchang@google.com> | 2019-07-05 17:17:05 +0800 |
|---|---|---|
| committer | Arjun Garg <arjgarg@google.com> | 2019-07-16 13:36:50 -0700 |
| commit | 13b47d570d9b644232394944aa1d089b1846bd98 (patch) | |
| tree | 13f167bdc925124d5c4c660b2923a1b883f839e4 | |
| parent | 58b22c53e6d4ec42efd29ebfd8ea374efcdbd78e (diff) | |
| download | libnfc-nci-nougat-mr2-security-release.tar.gz | |
Prevent OOB read in rw_t4t.ccandroid-7.1.2_r39android-7.1.2_r38nougat-mr2-security-release
Bug: 120865977
Bug: 120274615
Bug: 124462242
Test: Read T4T Tag
Change-Id: Id1b07fa79edabaf27e18a7147d1e7ae66cf3c4b3
(cherry picked from commit 5aeaa05d787c3d2b7951c6bdf83ff99e570d69f6)
| -rw-r--r-- | src/nfc/include/tags_defs.h | 1 | ||||
| -rw-r--r-- | src/nfc/tags/rw_t4t.c | 19 |
2 files changed, 20 insertions, 0 deletions
diff --git a/src/nfc/include/tags_defs.h b/src/nfc/include/tags_defs.h index 14d2859..95cc984 100644 --- a/src/nfc/include/tags_defs.h +++ b/src/nfc/include/tags_defs.h @@ -384,6 +384,7 @@ typedef UINT8 tT3T_POLL_RC; #define T4T_FILE_LENGTH_SIZE 0x02 #define T4T_ADDI_FRAME_RESP 0xAFU +#define T4T_DES_GET_VERSION_LEN 0x09 #define T4T_SIZE_IDENTIFIER_2K 0x16U #define T4T_SIZE_IDENTIFIER_4K 0x18U #define T4T_SIZE_IDENTIFIER_8K 0x1AU diff --git a/src/nfc/tags/rw_t4t.c b/src/nfc/tags/rw_t4t.c index c634591..044432d 100644 --- a/src/nfc/tags/rw_t4t.c +++ b/src/nfc/tags/rw_t4t.c @@ -23,6 +23,7 @@ * mode. * ******************************************************************************/ +#include <log/log.h> #include <string.h> #include "nfc_target.h" #include "bt_types.h" @@ -220,6 +221,12 @@ static BOOLEAN rw_t4t_update_version_details (BT_HDR *p_r_apdu) UINT8 *p; UINT16 major_version, minor_version; + if (p_r_apdu->len < T4T_DES_GET_VERSION_LEN) { + RW_TRACE_ERROR1("%s incorrect p_r_apdu length", __func__); + android_errorWriteLog(0x534e4554, "120865977"); + return FALSE; + } + p = (UINT8 *) (p_r_apdu + 1) + p_r_apdu->offset; major_version = *(p + 3); minor_version = *(p + 4); @@ -1070,6 +1077,8 @@ static void rw_t4t_handle_error (tNFC_STATUS status, UINT8 sw1, UINT8 sw2) rw_data.t4t_sw.sw1 = sw1; rw_data.t4t_sw.sw2 = sw2; + rw_data.ndef.cur_size = 0; + rw_data.ndef.max_size = 0; switch (p_t4t->state) { @@ -1978,6 +1987,16 @@ static void rw_t4t_data_cback (UINT8 conn_id, tNFC_CONN_EVT event, tNFC_CONN *p_ RW_TRACE_DEBUG1 ("RW T4T state: %d", p_t4t->state); #endif + if (p_t4t->state != RW_T4T_STATE_IDLE && + p_t4t->state != RW_T4T_STATE_PRESENCE_CHECK && + p_r_apdu->len < T4T_RSP_STATUS_WORDS_SIZE) { + RW_TRACE_ERROR1("%s incorrect p_r_apdu length", __func__); + android_errorWriteLog(0x534e4554, "120865977"); + rw_t4t_handle_error(NFC_STATUS_FAILED, 0, 0); + GKI_freebuf(p_r_apdu); + return; + } + switch (p_t4t->state) { case RW_T4T_STATE_IDLE: |