Fix native crash in nfc_ncif_proc_activate

The destination of memcpy is allocated with a predetermined maximum length, but in some cases the length of information being copied is greater than the maximum length of the destination. This is the root cause of crash. Add length check before memcpy to avoid memory overflow Test: Repeat reading and writing tag Bug: 32688507 Change-Id: I09ee3c734e9be38a35b1d48679d74e42e0432d78
author: fang.x.chen <fang.x.chen@sonymobile.com> 2016-11-07 12:31:10 +0900
committer: Andre Eisenbach <eisenbach@google.com> 2016-12-06 18:22:38 +0000
commit: cba7232db14f6ffceb6813315177ee99c422e343 (patch)
tree: 038ab28cca81313acf8764bf629ba1ad7e687dcb
parent: c99d11b183159f3f72f3c1a1b241ce3983a292dd (diff)
download: libnfc-nci-cba7232db14f6ffceb6813315177ee99c422e343.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/src/nfc/nfc/nfc_ncif.c b/src/nfc/nfc/nfc_ncif.c
index 06c12bb..2329933 100644
--- a/src/nfc/nfc/nfc_ncif.c
+++ b/src/nfc/nfc/nfc_ncif.c
@@ -839,6 +839,8 @@ void nfc_ncif_proc_activate (UINT8 *p, UINT8 len)
                 pp++;   /* TC */
             }
             p_pa_iso->his_byte_len  = (UINT8) (p_pa_iso->ats_res_len - (pp - p_pa_iso->ats_res));
+            if (p_pa_iso->his_byte_len > NFC_MAX_HIS_BYTES_LEN)
+                p_pa_iso->his_byte_len = NFC_MAX_HIS_BYTES_LEN;
             memcpy (p_pa_iso->his_byte,  pp, p_pa_iso->his_byte_len);
             break;
author	fang.x.chen <fang.x.chen@sonymobile.com>	2016-11-07 12:31:10 +0900
committer	Andre Eisenbach <eisenbach@google.com>	2016-12-06 18:22:38 +0000
commit	cba7232db14f6ffceb6813315177ee99c422e343 (patch)
tree	038ab28cca81313acf8764bf629ba1ad7e687dcb
parent	c99d11b183159f3f72f3c1a1b241ce3983a292dd (diff)
download	libnfc-nci-cba7232db14f6ffceb6813315177ee99c422e343.tar.gz