diff options
author | suryaprakash.konduru <suryaprakash.konduru@nxp.com> | 2023-06-19 17:43:26 +0530 |
---|---|---|
committer | Suryaprakash Konduru <suryaprakash.konduru@nxp.com> | 2023-08-02 19:43:44 +0000 |
commit | 471e6431b8859e86284ba9eac2cd12b603dc816a (patch) | |
tree | 3397c4df1be8eb724262694bf7aee3d70dfa8ef0 | |
parent | 4fedde4020b5130424d4539910113c1ed03b450f (diff) | |
download | secure_element-471e6431b8859e86284ba9eac2cd12b603dc816a.tar.gz |
Fix for potential OOB write due to missing boundary check.
Bug: 256818209
Test: Vts SE test
Change-Id: I96ad4228ec24166f06c469a50744d5e28f5271fa
-rw-r--r-- | pn8x/libese-spi/p73/lib/phNxpEse_Api.cpp | 6 | ||||
-rw-r--r-- | snxxx/libese-spi/p73/lib/phNxpEse_Api.cpp | 4 |
2 files changed, 9 insertions, 1 deletions
diff --git a/pn8x/libese-spi/p73/lib/phNxpEse_Api.cpp b/pn8x/libese-spi/p73/lib/phNxpEse_Api.cpp index 9db2d3b..1fb73fe 100644 --- a/pn8x/libese-spi/p73/lib/phNxpEse_Api.cpp +++ b/pn8x/libese-spi/p73/lib/phNxpEse_Api.cpp @@ -1,6 +1,6 @@ /****************************************************************************** * - * Copyright 2018 NXP + * Copyright 2018,2023 NXP * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -999,6 +999,10 @@ static int phNxpEse_readPacket(void* pDevHandle, uint8_t* pBuffer, * ******************************************************************************/ ESESTATUS phNxpEse_WriteFrame(uint32_t data_len, const uint8_t* p_data) { + if (data_len > MAX_DATA_LEN) { + ALOGE("%s Data length causes oob write error", __FUNCTION__); + return ESESTATUS_FAILED; + } ESESTATUS status = ESESTATUS_INVALID_PARAMETER; int32_t dwNoBytesWrRd = 0; ALOGD_IF(ese_debug_enabled, "Enter %s ", __FUNCTION__); diff --git a/snxxx/libese-spi/p73/lib/phNxpEse_Api.cpp b/snxxx/libese-spi/p73/lib/phNxpEse_Api.cpp index 5fc188e..09d9df9 100644 --- a/snxxx/libese-spi/p73/lib/phNxpEse_Api.cpp +++ b/snxxx/libese-spi/p73/lib/phNxpEse_Api.cpp @@ -1567,6 +1567,10 @@ static int phNxpEse_readPacket_legacy(void* pDevHandle, uint8_t* pBuffer, * ******************************************************************************/ ESESTATUS phNxpEse_WriteFrame(uint32_t data_len, uint8_t* p_data) { + if (data_len > MAX_DATA_LEN || data_len == 0) { + ALOGE("%s Data length causes oob write error", __FUNCTION__); + return ESESTATUS_FAILED; + } ESESTATUS status = ESESTATUS_INVALID_PARAMETER; int32_t dwNoBytesWrRd = 0; NXP_LOG_ESE_D("Enter %s ", __FUNCTION__); |