Fix for potential OOB write due to missing boundary check. am: 471e6431b8 am: e04e7fd2f6 am: 8a931bbafb am: fe92bc6938

Original change: https://android-review.googlesource.com/c/platform/hardware/nxp/secure_element/+/2628857 Change-Id: Icd6e44dd276cfa24acd1e049911f2b8c03eef314 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
author: suryaprakash.konduru <suryaprakash.konduru@nxp.com> 2023-08-09 21:54:49 +0000
committer: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> 2023-08-09 21:54:49 +0000
commit: d4931f70dea845ae9cd474b2a483533d2fbc14b3 (patch)
tree: 3397c4df1be8eb724262694bf7aee3d70dfa8ef0
parent: 0ade407804ddcde95c3ea115822592fc7c4cbae7 (diff)
parent: fe92bc6938f358ab8a4c602ba05f3c036f1225be (diff)
download: secure_element-d4931f70dea845ae9cd474b2a483533d2fbc14b3.tar.gz
2 files changed, 9 insertions, 1 deletions
diff --git a/pn8x/libese-spi/p73/lib/phNxpEse_Api.cpp b/pn8x/libese-spi/p73/lib/phNxpEse_Api.cpp
index 9db2d3b..1fb73fe 100644
--- a/pn8x/libese-spi/p73/lib/phNxpEse_Api.cpp
+++ b/pn8x/libese-spi/p73/lib/phNxpEse_Api.cpp
@@ -1,6 +1,6 @@
 /******************************************************************************
  *
- *  Copyright 2018 NXP
+ *  Copyright 2018,2023 NXP
  *
  *  Licensed under the Apache License, Version 2.0 (the "License");
  *  you may not use this file except in compliance with the License.
@@ -999,6 +999,10 @@ static int phNxpEse_readPacket(void* pDevHandle, uint8_t* pBuffer,
  *
  ******************************************************************************/
 ESESTATUS phNxpEse_WriteFrame(uint32_t data_len, const uint8_t* p_data) {
+  if (data_len > MAX_DATA_LEN) {
+    ALOGE("%s Data length causes oob write error", __FUNCTION__);
+    return ESESTATUS_FAILED;
+  }
   ESESTATUS status = ESESTATUS_INVALID_PARAMETER;
   int32_t dwNoBytesWrRd = 0;
   ALOGD_IF(ese_debug_enabled, "Enter %s ", __FUNCTION__);
diff --git a/snxxx/libese-spi/p73/lib/phNxpEse_Api.cpp b/snxxx/libese-spi/p73/lib/phNxpEse_Api.cpp
index 5fc188e..09d9df9 100644
--- a/snxxx/libese-spi/p73/lib/phNxpEse_Api.cpp
+++ b/snxxx/libese-spi/p73/lib/phNxpEse_Api.cpp
@@ -1567,6 +1567,10 @@ static int phNxpEse_readPacket_legacy(void* pDevHandle, uint8_t* pBuffer,
  *
  ******************************************************************************/
 ESESTATUS phNxpEse_WriteFrame(uint32_t data_len, uint8_t* p_data) {
+  if (data_len > MAX_DATA_LEN || data_len == 0) {
+    ALOGE("%s Data length causes oob write error", __FUNCTION__);
+    return ESESTATUS_FAILED;
+  }
   ESESTATUS status = ESESTATUS_INVALID_PARAMETER;
   int32_t dwNoBytesWrRd = 0;
   NXP_LOG_ESE_D("Enter %s ", __FUNCTION__);
author	suryaprakash.konduru <suryaprakash.konduru@nxp.com>	2023-08-09 21:54:49 +0000
committer	Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-08-09 21:54:49 +0000
commit	d4931f70dea845ae9cd474b2a483533d2fbc14b3 (patch)
tree	3397c4df1be8eb724262694bf7aee3d70dfa8ef0
parent	0ade407804ddcde95c3ea115822592fc7c4cbae7 (diff)
parent	fe92bc6938f358ab8a4c602ba05f3c036f1225be (diff)
download	secure_element-d4931f70dea845ae9cd474b2a483533d2fbc14b3.tar.gz