diff options
| author | suryaprakash.konduru <suryaprakash.konduru@nxp.com> | 2023-06-19 17:36:48 +0530 |
|---|---|---|
| committer | suryaprakash.konduru <suryaprakash.konduru@nxp.com> | 2023-06-19 17:36:48 +0530 |
| commit | b846b2f12e88630b9ba6a4a5332edadcdbcbde88 (patch) | |
| tree | 390a96fbcf7173f9a5f800b7a4bcd6836e735c7c | |
| parent | 6382ac40864a2960c13ca2c9a08f70d36836f09f (diff) | |
| download | secure_element-b846b2f12e88630b9ba6a4a5332edadcdbcbde88.tar.gz | |
Fix for potential OOB write due to missing boundary check.
Bug: 256818564
Test: Vts SE test
Change-Id: Ie9fa50072c17c05b870d06ba288f865d0bc55bc0
| -rwxr-xr-x | pn8x/libese-spi/p73/lib/phNxpEseDataMgr.cpp | 6 | ||||
| -rwxr-xr-x | pn8x/libese-spi/p73/lib/phNxpEseProto7816_3.cpp | 11 | ||||
| -rwxr-xr-x | snxxx/libese-spi/p73/lib/phNxpEseDataMgr.cpp | 4 |
3 files changed, 18 insertions, 3 deletions
diff --git a/pn8x/libese-spi/p73/lib/phNxpEseDataMgr.cpp b/pn8x/libese-spi/p73/lib/phNxpEseDataMgr.cpp index 0213e18..ef0ca3a 100755 --- a/pn8x/libese-spi/p73/lib/phNxpEseDataMgr.cpp +++ b/pn8x/libese-spi/p73/lib/phNxpEseDataMgr.cpp @@ -1,6 +1,6 @@ /****************************************************************************** * - * Copyright 2018 NXP + * Copyright 2018,2023 NXP * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -79,6 +79,10 @@ ESESTATUS phNxpEse_GetData(uint32_t* data_len, uint8_t** pbuffer) { * ******************************************************************************/ ESESTATUS phNxpEse_StoreDatainList(uint32_t data_len, uint8_t* pbuff) { + if (data_len > MAX_DATA_LEN) { + ALOGE("%s Data length causes oob write error", __FUNCTION__); + return ESESTATUS_INVALID_RECEIVE_LENGTH; + } phNxpEse_sCoreRecvBuff_List_t* newNode = NULL; newNode = (phNxpEse_sCoreRecvBuff_List_t*)phNxpEse_memalloc( diff --git a/pn8x/libese-spi/p73/lib/phNxpEseProto7816_3.cpp b/pn8x/libese-spi/p73/lib/phNxpEseProto7816_3.cpp index f7a1679..76de6b9 100755 --- a/pn8x/libese-spi/p73/lib/phNxpEseProto7816_3.cpp +++ b/pn8x/libese-spi/p73/lib/phNxpEseProto7816_3.cpp @@ -1,6 +1,6 @@ /****************************************************************************** * - * Copyright 2018 NXP + * Copyright 2018,2023 NXP * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -967,7 +967,7 @@ static ESESTATUS phNxpEseProto7816_ProcessResponse(void) { IDLE_STATE; phNxpEseProto7816_3_Var.timeoutCounter = PH_PROTO_7816_VALUE_ZERO; ALOGE("%s calling phNxpEse_StoreDatainList", __FUNCTION__); - phNxpEse_StoreDatainList(data_len, p_data); + status = phNxpEse_StoreDatainList(data_len, p_data); } } } @@ -1033,6 +1033,13 @@ static ESESTATUS TransceiveProcess(void) { &phNxpEseProto7816_3_Var.phNxpEseNextTx_Cntx, sizeof(phNxpEseProto7816_NextTx_Info_t)); status = phNxpEseProto7816_ProcessResponse(); + if (ESESTATUS_NOT_ENOUGH_MEMORY == status || + ESESTATUS_INVALID_RECEIVE_LENGTH == status) { + ALOGE("%s Processing response failed, shall retry in new session", + __FUNCTION__); + phNxpEseProto7816_3_Var.phNxpEseProto7816_nextTransceiveState = + IDLE_STATE; + } } else { ALOGD_IF(ese_debug_enabled, "%s Transceive send failed, going to recovery!", __FUNCTION__); diff --git a/snxxx/libese-spi/p73/lib/phNxpEseDataMgr.cpp b/snxxx/libese-spi/p73/lib/phNxpEseDataMgr.cpp index 87af666..baf8afa 100755 --- a/snxxx/libese-spi/p73/lib/phNxpEseDataMgr.cpp +++ b/snxxx/libese-spi/p73/lib/phNxpEseDataMgr.cpp @@ -87,6 +87,10 @@ ESESTATUS phNxpEse_GetData(uint32_t* data_len, uint8_t** pbuffer) { * ******************************************************************************/ ESESTATUS phNxpEse_StoreDatainList(uint32_t data_len, uint8_t* pbuff) { + if (data_len > MAX_DATA_LEN) { + ALOGE("%s Data length causes oob write error", __FUNCTION__); + return ESESTATUS_INVALID_RECEIVE_LENGTH; + } phNxpEse_sCoreRecvBuff_List_t* newNode = NULL; newNode = (phNxpEse_sCoreRecvBuff_List_t*)phNxpEse_memalloc( |