uwb(hal): Fix security vulnarability reported in uwb halandroid-u-beta-1-gpl

changes are mainly to resolve OOB, arrayIndex out of box security issues Bug: 269746228,268485040,268192935,267311318 Test: Android Security Assessment Change-Id: Id3f43b048ded859ee7b14b6dba40d9b6a1ea54af
author: Bhautik Ardeshana <bhautik.ardeshana@nxp.com> 2023-03-15 08:40:25 +0530
committer: Bhautik Ardeshana <bhautik.ardeshana@nxp.com> 2023-03-15 08:40:25 +0530
commit: 1ee9c729254cf4fd0c0a89399f45d91316c1f9ed (patch)
tree: bac1bdf8f0bd53806788db5e634f1d076b8180a6
parent: e488ca90d6ea60690c578663e6f3b6ffa64e8e3a (diff)
download: uwb-1ee9c729254cf4fd0c0a89399f45d91316c1f9ed.tar.gz
2 files changed, 44 insertions, 6 deletions
diff --git a/halimpl/hal/phNxpUciHal.cc b/halimpl/hal/phNxpUciHal.cc
index 9479236..5fccbcf 100644
--- a/halimpl/hal/phNxpUciHal.cc
+++ b/halimpl/hal/phNxpUciHal.cc
@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2019, 2022 NXP
+ * Copyright 2012-2019, 2022-2023 NXP
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -79,6 +79,7 @@ static void phNxpUciHal_print_response_status(uint8_t *p_rx_data,
  *******************************************************************************/
 bool get_input_map(const uint8_t* i_data, uint16_t iData_len) {
   vector<uint16_t> input_vec;
+  bool ret = true;
   uint16_t i = 0, j = 0, tag = 0, len = 0;
   i = UCI_PKT_HDR_LEN + UCI_PKT_PAYLOAD_STATUS_LEN + UCI_PKT_NUM_CAPS_LEN;
   if (i_data == NULL) {
@@ -86,20 +87,36 @@ bool get_input_map(const uint8_t* i_data, uint16_t iData_len) {
     return false;
   }
   while (i < iData_len) {
+    if (i + 1 >= iData_len) {
+      ret = false;
+      break;
+    }
     tag = i_data[i++];
     // Tag IDs from 0xE0 to 0xE2 are extended tag IDs with 2 bytes length.
     if((tag >= 0xE0) && (tag <= 0xE2)) {
+       if (i + 1 >= iData_len) {
+        ret = false;
+        break;
+       }
       tag = (tag << 8) | i_data[i++];
     }
+    if (i + 1 >= iData_len) {
+      ret = false;
+      break;
+    }
     len = i_data[i++];
     input_vec.insert(input_vec.begin(), len);
+    if (i + len > iData_len) {
+      ret = false;
+      break;
+    }
     for (j = 1; j <= len; j++) {
       input_vec.insert(input_vec.begin() + j, i_data[i++]);
     }
     input_map[tag] = input_vec;
     input_vec.clear();
   }
-  return true;
+  return ret;
 }
 
 /*******************************************************************************
@@ -113,26 +130,43 @@ bool get_input_map(const uint8_t* i_data, uint16_t iData_len) {
  *******************************************************************************/
 bool get_conf_map(uint8_t* c_data, uint16_t cData_len) {
   vector<uint16_t> conf_vec;
+  bool ret = true;
   uint16_t i = 0, j = 0, tag = 0, len = 0;
   if (c_data == NULL) {
     NXPLOG_UCIHAL_D("Country code conf map creation failed, c_data is NULL" );
     return false;
   }
   while (i < cData_len) {
+    if (i + 1 >= cData_len) {
+      ret = false;
+      break;
+    }
     tag = c_data[i++];
     // Tag IDs from 0xE0 to 0xE2 are extended tag IDs with 2 bytes length.
     if ((tag >= 0xE0) && (tag <= 0xE2)) {
+      if (i + 1 >= cData_len) {
+        ret = false;
+        break;
+      }
       tag = (tag<<8) | c_data[i++];
     }
+    if (i + 1 >= cData_len) {
+      ret = false;
+      break;
+    }
     len = c_data[i++];
     conf_vec.insert(conf_vec.begin(),len);
+    if (i + len > cData_len) {
+      ret = false;
+      break;
+    }
     for (j = 1; j <= len; j++) {
       conf_vec.insert(conf_vec.begin() + j, c_data[i++]);
     }
     conf_map[tag] = conf_vec;
     conf_vec.clear();
   }
-  return true;
+  return ret;
 }
 
 /******************************************************************************
@@ -642,8 +676,8 @@ tHAL_UWB_STATUS phNxpUciHal_write_unlocked(uint16_t data_len, const uint8_t* p_d
     goto clean_and_return;
   }
 
-  if(data_len > UCI_MAX_DATA_LEN){
-    NXPLOG_UCIHAL_E("data_lensize exceeds the UCI_MAX_DATA_LEN");
+  if ((data_len > UCI_MAX_DATA_LEN) || (data_len < UCI_PKT_HDR_LEN)) {
+    NXPLOG_UCIHAL_E("Invalid data_len");
     data_len = 0;
     goto clean_and_return;
   }
diff --git a/halimpl/hal/phNxpUciHal_ext.cc b/halimpl/hal/phNxpUciHal_ext.cc
index 3dfd1a3..4c47a91 100644
--- a/halimpl/hal/phNxpUciHal_ext.cc
+++ b/halimpl/hal/phNxpUciHal_ext.cc
@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2020,2022 NXP
+ * Copyright 2012-2019, 2022-2023 NXP
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -167,6 +167,10 @@ tHAL_UWB_STATUS phNxpUciHal_write_ext(uint16_t* cmd_len, uint8_t* p_cmd_data,
 tHAL_UWB_STATUS phNxpUciHal_send_ext_cmd(uint16_t cmd_len, const uint8_t* p_cmd) {
   tHAL_UWB_STATUS status;
 
+  if (cmd_len >= UCI_MAX_DATA_LEN) {
+    status = UWBSTATUS_FAILED;
+    return status;
+  }
   HAL_ENABLE_EXT();
   nxpucihal_ctrl.cmd_len = cmd_len;
   memcpy(nxpucihal_ctrl.p_cmd_data, p_cmd, cmd_len);
author	Bhautik Ardeshana <bhautik.ardeshana@nxp.com>	2023-03-15 08:40:25 +0530
committer	Bhautik Ardeshana <bhautik.ardeshana@nxp.com>	2023-03-15 08:40:25 +0530
commit	1ee9c729254cf4fd0c0a89399f45d91316c1f9ed (patch)
tree	bac1bdf8f0bd53806788db5e634f1d076b8180a6
parent	e488ca90d6ea60690c578663e6f3b6ffa64e8e3a (diff)
download	uwb-1ee9c729254cf4fd0c0a89399f45d91316c1f9ed.tar.gz