OOB read in phNciNfc_RecvMfResp()

The size of RspBuff for Mifare shall be at least 2 bytes: Mifare Req/Rsp Id + Status Bug: 221852424 Test: build ok Change-Id: I3a1e10997de8d2a7cb8bbb524fc8788aaf97944e
author: Alisher Alikhodjaev <alisher@google.com> 2022-03-18 17:13:05 -0700
committer: Alisher Alikhodjaev <alisher@google.com> 2022-03-18 17:20:50 -0700
commit: f0d86f7fe23499cd4c6631348618463fbc496436 (patch)
tree: 2ecbfae652f27bd74ac3a36865bec199f33f954b /nci
parent: 4177b086cf2f1ae9c1831cb1a7ed88233c7a6aca (diff)
download: Nfc-f0d86f7fe23499cd4c6631348618463fbc496436.tar.gz
1 files changed, 3 insertions, 11 deletions
diff --git a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.cpp b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.cpp
index 604f881d..6eac1385 100644
--- a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.cpp
+++ b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.cpp
@@ -1117,8 +1117,9 @@ static NFCSTATUS phNciNfc_RecvMfResp(phNciNfc_Buff_t* RspBuffInfo,
   if (NULL == RspBuffInfo) {
     status = NFCSTATUS_FAILED;
   } else {
-    if ((0 == (RspBuffInfo->wLen)) || (PH_NCINFC_STATUS_OK != wStatus) ||
-        (NULL == (RspBuffInfo->pBuff))) {
+    if (((PHNCINFC_EXTNID_SIZE + PHNCINFC_EXTNSTATUS_SIZE) >
+         RspBuffInfo->wLen) ||
+        (PH_NCINFC_STATUS_OK != wStatus) || (NULL == (RspBuffInfo->pBuff))) {
       status = NFCSTATUS_FAILED;
     } else {
       RecvdExtnRspId = (phNciNfc_ExtnRespId_t)RspBuffInfo->pBuff[0];
@@ -1132,10 +1133,6 @@ static NFCSTATUS phNciNfc_RecvMfResp(phNciNfc_Buff_t* RspBuffInfo,
                NdefMap->State == PH_FRINFC_NDEFMAP_STATE_WRITE ||
                NdefMap->State == PH_FRINFC_NDEFMAP_STATE_WR_NDEF_LEN ||
                NdefMap->State == PH_FRINFC_NDEFMAP_STATE_INIT)) {
-            if (2 > RspBuffInfo->wLen) {
-              android_errorWriteLog(0x534e4554, "181346550");
-              return NFCSTATUS_FAILED;
-            }
             uint8_t rspAck = RspBuffInfo->pBuff[RspBuffInfo->wLen - 2];
             uint8_t rspAckMask = ((RspBuffInfo->pBuff[RspBuffInfo->wLen - 1]) &
                                   MAX_NUM_VALID_BITS_FOR_ACK);
@@ -1149,11 +1146,6 @@ static NFCSTATUS phNciNfc_RecvMfResp(phNciNfc_Buff_t* RspBuffInfo,
             status = NFCSTATUS_SUCCESS;
             uint16_t wRecvDataSz = 0;
 
-            if ((PHNCINFC_EXTNID_SIZE + PHNCINFC_EXTNSTATUS_SIZE) >
-                RspBuffInfo->wLen) {
-              android_errorWriteLog(0x534e4554, "181346550");
-              return NFCSTATUS_FAILED;
-            }
             /* DataLen = TotalRecvdLen - (sizeof(RspId) + sizeof(Status)) */
             wPldDataSize = ((RspBuffInfo->wLen) -
                             (PHNCINFC_EXTNID_SIZE + PHNCINFC_EXTNSTATUS_SIZE));
author	Alisher Alikhodjaev <alisher@google.com>	2022-03-18 17:13:05 -0700
committer	Alisher Alikhodjaev <alisher@google.com>	2022-03-18 17:20:50 -0700
commit	f0d86f7fe23499cd4c6631348618463fbc496436 (patch)
tree	2ecbfae652f27bd74ac3a36865bec199f33f954b /nci
parent	4177b086cf2f1ae9c1831cb1a7ed88233c7a6aca (diff)
download	Nfc-f0d86f7fe23499cd4c6631348618463fbc496436.tar.gz