Merge "Fix for potential OOB write due to missing boundary check." am: 1d59235c78 am: 4fedde4020

Original change: https://android-review.googlesource.com/c/platform/hardware/nxp/secure_element/+/2628856

Change-Id: I6ec340a0e3e19c4f76de7c0367c7fb2530d35faf
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

3 files changed, 18 insertions, 3 deletions

diff --git a/pn8x/libese-spi/p73/lib/phNxpEseDataMgr.cpp b/pn8x/libese-spi/p73/lib/phNxpEseDataMgr.cpp
index 0213e18..ef0ca3a 100755
--- a/pn8x/libese-spi/p73/lib/phNxpEseDataMgr.cpp
+++ b/pn8x/libese-spi/p73/lib/phNxpEseDataMgr.cpp
@@ -1,6 +1,6 @@
 /******************************************************************************
  *
- *  Copyright 2018 NXP
+ *  Copyright 2018,2023 NXP
  *
  *  Licensed under the Apache License, Version 2.0 (the "License");
  *  you may not use this file except in compliance with the License.
@@ -79,6 +79,10 @@ ESESTATUS phNxpEse_GetData(uint32_t* data_len, uint8_t** pbuffer) {
  *
  ******************************************************************************/
 ESESTATUS phNxpEse_StoreDatainList(uint32_t data_len, uint8_t* pbuff) {
+  if (data_len > MAX_DATA_LEN) {
+    ALOGE("%s Data length causes oob write error", __FUNCTION__);
+    return ESESTATUS_INVALID_RECEIVE_LENGTH;
+  }
   phNxpEse_sCoreRecvBuff_List_t* newNode = NULL;
 
   newNode = (phNxpEse_sCoreRecvBuff_List_t*)phNxpEse_memalloc(
diff --git a/pn8x/libese-spi/p73/lib/phNxpEseProto7816_3.cpp b/pn8x/libese-spi/p73/lib/phNxpEseProto7816_3.cpp
index f7a1679..76de6b9 100755
--- a/pn8x/libese-spi/p73/lib/phNxpEseProto7816_3.cpp
+++ b/pn8x/libese-spi/p73/lib/phNxpEseProto7816_3.cpp
@@ -1,6 +1,6 @@
 /******************************************************************************
  *
- *  Copyright 2018 NXP
+ *  Copyright 2018,2023 NXP
  *
  *  Licensed under the Apache License, Version 2.0 (the "License");
  *  you may not use this file except in compliance with the License.
@@ -967,7 +967,7 @@ static ESESTATUS phNxpEseProto7816_ProcessResponse(void) {
             IDLE_STATE;
         phNxpEseProto7816_3_Var.timeoutCounter = PH_PROTO_7816_VALUE_ZERO;
         ALOGE("%s calling phNxpEse_StoreDatainList", __FUNCTION__);
-        phNxpEse_StoreDatainList(data_len, p_data);
+        status = phNxpEse_StoreDatainList(data_len, p_data);
       }
     }
   }
@@ -1033,6 +1033,13 @@ static ESESTATUS TransceiveProcess(void) {
                       &phNxpEseProto7816_3_Var.phNxpEseNextTx_Cntx,
                       sizeof(phNxpEseProto7816_NextTx_Info_t));
       status = phNxpEseProto7816_ProcessResponse();
+      if (ESESTATUS_NOT_ENOUGH_MEMORY == status ||
+          ESESTATUS_INVALID_RECEIVE_LENGTH == status) {
+        ALOGE("%s Processing response failed, shall retry in new session",
+              __FUNCTION__);
+        phNxpEseProto7816_3_Var.phNxpEseProto7816_nextTransceiveState =
+            IDLE_STATE;
+      }
     } else {
       ALOGD_IF(ese_debug_enabled,
                "%s Transceive send failed, going to recovery!", __FUNCTION__);
diff --git a/snxxx/libese-spi/p73/lib/phNxpEseDataMgr.cpp b/snxxx/libese-spi/p73/lib/phNxpEseDataMgr.cpp
index 87af666..baf8afa 100755
--- a/snxxx/libese-spi/p73/lib/phNxpEseDataMgr.cpp
+++ b/snxxx/libese-spi/p73/lib/phNxpEseDataMgr.cpp
@@ -87,6 +87,10 @@ ESESTATUS phNxpEse_GetData(uint32_t* data_len, uint8_t** pbuffer) {
  *
  ******************************************************************************/
 ESESTATUS phNxpEse_StoreDatainList(uint32_t data_len, uint8_t* pbuff) {
+  if (data_len > MAX_DATA_LEN) {
+    ALOGE("%s Data length causes oob write error", __FUNCTION__);
+    return ESESTATUS_INVALID_RECEIVE_LENGTH;
+  }
   phNxpEse_sCoreRecvBuff_List_t* newNode = NULL;
 
   newNode = (phNxpEse_sCoreRecvBuff_List_t*)phNxpEse_memalloc(