diff options
author | suryaprakash.konduru <suryaprakash.konduru@nxp.com> | 2023-08-09 22:36:32 +0000 |
---|---|---|
committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2023-08-09 22:36:32 +0000 |
commit | 7cc72575350761839ff44c9dbbf136638f4675f8 (patch) | |
tree | 3397c4df1be8eb724262694bf7aee3d70dfa8ef0 | |
parent | 0efc5a0b09e67d743b3465f4af3e3409da1f2853 (diff) | |
parent | d4931f70dea845ae9cd474b2a483533d2fbc14b3 (diff) | |
download | secure_element-android14-qpr2-release.tar.gz |
Fix for potential OOB write due to missing boundary check. am: 471e6431b8 am: e04e7fd2f6 am: 8a931bbafb am: fe92bc6938 am: d4931f70deandroid-14.0.0_r33android-14.0.0_r32android-14.0.0_r31android-14.0.0_r30android-14.0.0_r29android14-qpr2-s3-releaseandroid14-qpr2-s2-releaseandroid14-qpr2-s1-releaseandroid14-qpr2-release
Original change: https://android-review.googlesource.com/c/platform/hardware/nxp/secure_element/+/2628857
Change-Id: Ib73e4f1c4095921c49f8b30c3d10d3d191d6ce6d
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
-rw-r--r-- | pn8x/libese-spi/p73/lib/phNxpEse_Api.cpp | 6 | ||||
-rw-r--r-- | snxxx/libese-spi/p73/lib/phNxpEse_Api.cpp | 4 |
2 files changed, 9 insertions, 1 deletions
diff --git a/pn8x/libese-spi/p73/lib/phNxpEse_Api.cpp b/pn8x/libese-spi/p73/lib/phNxpEse_Api.cpp index 9db2d3b..1fb73fe 100644 --- a/pn8x/libese-spi/p73/lib/phNxpEse_Api.cpp +++ b/pn8x/libese-spi/p73/lib/phNxpEse_Api.cpp @@ -1,6 +1,6 @@ /****************************************************************************** * - * Copyright 2018 NXP + * Copyright 2018,2023 NXP * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -999,6 +999,10 @@ static int phNxpEse_readPacket(void* pDevHandle, uint8_t* pBuffer, * ******************************************************************************/ ESESTATUS phNxpEse_WriteFrame(uint32_t data_len, const uint8_t* p_data) { + if (data_len > MAX_DATA_LEN) { + ALOGE("%s Data length causes oob write error", __FUNCTION__); + return ESESTATUS_FAILED; + } ESESTATUS status = ESESTATUS_INVALID_PARAMETER; int32_t dwNoBytesWrRd = 0; ALOGD_IF(ese_debug_enabled, "Enter %s ", __FUNCTION__); diff --git a/snxxx/libese-spi/p73/lib/phNxpEse_Api.cpp b/snxxx/libese-spi/p73/lib/phNxpEse_Api.cpp index 5fc188e..09d9df9 100644 --- a/snxxx/libese-spi/p73/lib/phNxpEse_Api.cpp +++ b/snxxx/libese-spi/p73/lib/phNxpEse_Api.cpp @@ -1567,6 +1567,10 @@ static int phNxpEse_readPacket_legacy(void* pDevHandle, uint8_t* pBuffer, * ******************************************************************************/ ESESTATUS phNxpEse_WriteFrame(uint32_t data_len, uint8_t* p_data) { + if (data_len > MAX_DATA_LEN || data_len == 0) { + ALOGE("%s Data length causes oob write error", __FUNCTION__); + return ESESTATUS_FAILED; + } ESESTATUS status = ESESTATUS_INVALID_PARAMETER; int32_t dwNoBytesWrRd = 0; NXP_LOG_ESE_D("Enter %s ", __FUNCTION__); |