diff options
author | Bhautik Ardeshana <bhautik.ardeshana@nxp.com> | 2023-03-15 08:40:25 +0530 |
---|---|---|
committer | Bhautik Ardeshana <bhautik.ardeshana@nxp.com> | 2023-03-15 08:40:25 +0530 |
commit | 1ee9c729254cf4fd0c0a89399f45d91316c1f9ed (patch) | |
tree | bac1bdf8f0bd53806788db5e634f1d076b8180a6 | |
parent | e488ca90d6ea60690c578663e6f3b6ffa64e8e3a (diff) | |
download | uwb-1ee9c729254cf4fd0c0a89399f45d91316c1f9ed.tar.gz |
uwb(hal): Fix security vulnarability reported in uwb halandroid-u-beta-1-gpl
changes are mainly to resolve OOB, arrayIndex out of box security
issues
Bug: 269746228,268485040,268192935,267311318
Test: Android Security Assessment
Change-Id: Id3f43b048ded859ee7b14b6dba40d9b6a1ea54af
-rw-r--r-- | halimpl/hal/phNxpUciHal.cc | 44 | ||||
-rw-r--r-- | halimpl/hal/phNxpUciHal_ext.cc | 6 |
2 files changed, 44 insertions, 6 deletions
diff --git a/halimpl/hal/phNxpUciHal.cc b/halimpl/hal/phNxpUciHal.cc index 9479236..5fccbcf 100644 --- a/halimpl/hal/phNxpUciHal.cc +++ b/halimpl/hal/phNxpUciHal.cc @@ -1,5 +1,5 @@ /* - * Copyright 2012-2019, 2022 NXP + * Copyright 2012-2019, 2022-2023 NXP * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -79,6 +79,7 @@ static void phNxpUciHal_print_response_status(uint8_t *p_rx_data, *******************************************************************************/ bool get_input_map(const uint8_t* i_data, uint16_t iData_len) { vector<uint16_t> input_vec; + bool ret = true; uint16_t i = 0, j = 0, tag = 0, len = 0; i = UCI_PKT_HDR_LEN + UCI_PKT_PAYLOAD_STATUS_LEN + UCI_PKT_NUM_CAPS_LEN; if (i_data == NULL) { @@ -86,20 +87,36 @@ bool get_input_map(const uint8_t* i_data, uint16_t iData_len) { return false; } while (i < iData_len) { + if (i + 1 >= iData_len) { + ret = false; + break; + } tag = i_data[i++]; // Tag IDs from 0xE0 to 0xE2 are extended tag IDs with 2 bytes length. if((tag >= 0xE0) && (tag <= 0xE2)) { + if (i + 1 >= iData_len) { + ret = false; + break; + } tag = (tag << 8) | i_data[i++]; } + if (i + 1 >= iData_len) { + ret = false; + break; + } len = i_data[i++]; input_vec.insert(input_vec.begin(), len); + if (i + len > iData_len) { + ret = false; + break; + } for (j = 1; j <= len; j++) { input_vec.insert(input_vec.begin() + j, i_data[i++]); } input_map[tag] = input_vec; input_vec.clear(); } - return true; + return ret; } /******************************************************************************* @@ -113,26 +130,43 @@ bool get_input_map(const uint8_t* i_data, uint16_t iData_len) { *******************************************************************************/ bool get_conf_map(uint8_t* c_data, uint16_t cData_len) { vector<uint16_t> conf_vec; + bool ret = true; uint16_t i = 0, j = 0, tag = 0, len = 0; if (c_data == NULL) { NXPLOG_UCIHAL_D("Country code conf map creation failed, c_data is NULL" ); return false; } while (i < cData_len) { + if (i + 1 >= cData_len) { + ret = false; + break; + } tag = c_data[i++]; // Tag IDs from 0xE0 to 0xE2 are extended tag IDs with 2 bytes length. if ((tag >= 0xE0) && (tag <= 0xE2)) { + if (i + 1 >= cData_len) { + ret = false; + break; + } tag = (tag<<8) | c_data[i++]; } + if (i + 1 >= cData_len) { + ret = false; + break; + } len = c_data[i++]; conf_vec.insert(conf_vec.begin(),len); + if (i + len > cData_len) { + ret = false; + break; + } for (j = 1; j <= len; j++) { conf_vec.insert(conf_vec.begin() + j, c_data[i++]); } conf_map[tag] = conf_vec; conf_vec.clear(); } - return true; + return ret; } /****************************************************************************** @@ -642,8 +676,8 @@ tHAL_UWB_STATUS phNxpUciHal_write_unlocked(uint16_t data_len, const uint8_t* p_d goto clean_and_return; } - if(data_len > UCI_MAX_DATA_LEN){ - NXPLOG_UCIHAL_E("data_lensize exceeds the UCI_MAX_DATA_LEN"); + if ((data_len > UCI_MAX_DATA_LEN) || (data_len < UCI_PKT_HDR_LEN)) { + NXPLOG_UCIHAL_E("Invalid data_len"); data_len = 0; goto clean_and_return; } diff --git a/halimpl/hal/phNxpUciHal_ext.cc b/halimpl/hal/phNxpUciHal_ext.cc index 3dfd1a3..4c47a91 100644 --- a/halimpl/hal/phNxpUciHal_ext.cc +++ b/halimpl/hal/phNxpUciHal_ext.cc @@ -1,5 +1,5 @@ /* - * Copyright 2012-2020,2022 NXP + * Copyright 2012-2019, 2022-2023 NXP * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -167,6 +167,10 @@ tHAL_UWB_STATUS phNxpUciHal_write_ext(uint16_t* cmd_len, uint8_t* p_cmd_data, tHAL_UWB_STATUS phNxpUciHal_send_ext_cmd(uint16_t cmd_len, const uint8_t* p_cmd) { tHAL_UWB_STATUS status; + if (cmd_len >= UCI_MAX_DATA_LEN) { + status = UWBSTATUS_FAILED; + return status; + } HAL_ENABLE_EXT(); nxpucihal_ctrl.cmd_len = cmd_len; memcpy(nxpucihal_ctrl.p_cmd_data, p_cmd, cmd_len); |