Fix for potential OOB write due to missing boundary check. am: 471e6431b8

Original change: https://android-review.googlesource.com/c/platform/hardware/nxp/secure_element/+/2628857 Change-Id: Iaf2791d9fa5774ce902529bf35f392f1eebf1cd3 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
author: suryaprakash.konduru <suryaprakash.konduru@nxp.com> 2023-08-09 19:42:18 +0000
committer: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> 2023-08-09 19:42:18 +0000
commit: e04e7fd2f60b231e8ab1c083761d869f363c29c1 (patch)
tree: 3397c4df1be8eb724262694bf7aee3d70dfa8ef0
parent: 0d97c00448eb8ca146b3d3f11691e405dc6e6276 (diff)
parent: 471e6431b8859e86284ba9eac2cd12b603dc816a (diff)
download: secure_element-e04e7fd2f60b231e8ab1c083761d869f363c29c1.tar.gz
2 files changed, 9 insertions, 1 deletions
diff --git a/pn8x/libese-spi/p73/lib/phNxpEse_Api.cpp b/pn8x/libese-spi/p73/lib/phNxpEse_Api.cpp
index 9db2d3b..1fb73fe 100644
--- a/pn8x/libese-spi/p73/lib/phNxpEse_Api.cpp
+++ b/pn8x/libese-spi/p73/lib/phNxpEse_Api.cpp
@@ -1,6 +1,6 @@
 /******************************************************************************
  *
- *  Copyright 2018 NXP
+ *  Copyright 2018,2023 NXP
  *
  *  Licensed under the Apache License, Version 2.0 (the "License");
  *  you may not use this file except in compliance with the License.
@@ -999,6 +999,10 @@ static int phNxpEse_readPacket(void* pDevHandle, uint8_t* pBuffer,
  *
  ******************************************************************************/
 ESESTATUS phNxpEse_WriteFrame(uint32_t data_len, const uint8_t* p_data) {
+  if (data_len > MAX_DATA_LEN) {
+    ALOGE("%s Data length causes oob write error", __FUNCTION__);
+    return ESESTATUS_FAILED;
+  }
   ESESTATUS status = ESESTATUS_INVALID_PARAMETER;
   int32_t dwNoBytesWrRd = 0;
   ALOGD_IF(ese_debug_enabled, "Enter %s ", __FUNCTION__);
diff --git a/snxxx/libese-spi/p73/lib/phNxpEse_Api.cpp b/snxxx/libese-spi/p73/lib/phNxpEse_Api.cpp
index 5fc188e..09d9df9 100644
--- a/snxxx/libese-spi/p73/lib/phNxpEse_Api.cpp
+++ b/snxxx/libese-spi/p73/lib/phNxpEse_Api.cpp
@@ -1567,6 +1567,10 @@ static int phNxpEse_readPacket_legacy(void* pDevHandle, uint8_t* pBuffer,
  *
  ******************************************************************************/
 ESESTATUS phNxpEse_WriteFrame(uint32_t data_len, uint8_t* p_data) {
+  if (data_len > MAX_DATA_LEN || data_len == 0) {
+    ALOGE("%s Data length causes oob write error", __FUNCTION__);
+    return ESESTATUS_FAILED;
+  }
   ESESTATUS status = ESESTATUS_INVALID_PARAMETER;
   int32_t dwNoBytesWrRd = 0;
   NXP_LOG_ESE_D("Enter %s ", __FUNCTION__);
author	suryaprakash.konduru <suryaprakash.konduru@nxp.com>	2023-08-09 19:42:18 +0000
committer	Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-08-09 19:42:18 +0000
commit	e04e7fd2f60b231e8ab1c083761d869f363c29c1 (patch)
tree	3397c4df1be8eb724262694bf7aee3d70dfa8ef0
parent	0d97c00448eb8ca146b3d3f11691e405dc6e6276 (diff)
parent	471e6431b8859e86284ba9eac2cd12b603dc816a (diff)
download	secure_element-e04e7fd2f60b231e8ab1c083761d869f363c29c1.tar.gz