summaryrefslogtreecommitdiff
path: root/nci
diff options
context:
space:
mode:
authorAlisher Alikhodjaev <alisher@google.com>2021-05-04 15:35:51 -0700
committerAlisher Alikhodjaev <alisher@google.com>2021-05-04 15:35:51 -0700
commitc39c851616f674edb8d9fa98010768eef3ba1913 (patch)
tree4cd9c8fd8829ca4808670cf3a81b534ee44e30a0 /nci
parentb7e5ab8782d69ad7e3f476e04cb24ffc144167aa (diff)
downloadNfc-c39c851616f674edb8d9fa98010768eef3ba1913.tar.gz
Potential out of bound in phNciNfc_RecvMfResp
Bug: 181346550 Test: build ok Change-Id: I2714d022724a3caf3abe077fb9806df3b25f7142
Diffstat (limited to 'nci')
-rw-r--r--nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.cpp9
1 files changed, 9 insertions, 0 deletions
diff --git a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.cpp b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.cpp
index 9f04c18b..bc87ae40 100644
--- a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.cpp
+++ b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.cpp
@@ -1137,6 +1137,10 @@ static NFCSTATUS phNciNfc_RecvMfResp(phNciNfc_Buff_t* RspBuffInfo,
NdefMap->State == PH_FRINFC_NDEFMAP_STATE_WRITE ||
NdefMap->State == PH_FRINFC_NDEFMAP_STATE_WR_NDEF_LEN ||
NdefMap->State == PH_FRINFC_NDEFMAP_STATE_INIT)) {
+ if (2 > RspBuffInfo->wLen) {
+ android_errorWriteLog(0x534e4554, "181346550");
+ return NFCSTATUS_FAILED;
+ }
uint8_t rspAck = RspBuffInfo->pBuff[RspBuffInfo->wLen - 2];
uint8_t rspAckMask = ((RspBuffInfo->pBuff[RspBuffInfo->wLen - 1]) &
MAX_NUM_VALID_BITS_FOR_ACK);
@@ -1150,6 +1154,11 @@ static NFCSTATUS phNciNfc_RecvMfResp(phNciNfc_Buff_t* RspBuffInfo,
status = NFCSTATUS_SUCCESS;
uint16_t wRecvDataSz = 0;
+ if ((PHNCINFC_EXTNID_SIZE + PHNCINFC_EXTNSTATUS_SIZE) >
+ RspBuffInfo->wLen) {
+ android_errorWriteLog(0x534e4554, "181346550");
+ return NFCSTATUS_FAILED;
+ }
/* DataLen = TotalRecvdLen - (sizeof(RspId) + sizeof(Status)) */
wPldDataSize = ((RspBuffInfo->wLen) -
(PHNCINFC_EXTNID_SIZE + PHNCINFC_EXTNSTATUS_SIZE));
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-03 17:48:49 +0000