commit 95ff95f8e286fc244d95bf8783410d03272c63a8
author George Chang <georgekgchang@google.com> Thu Feb 20 20:24:33 2020 +0800
committer George Chang <georgekgchang@google.com> Thu Mar 26 01:51:13 2020 +0000
tree 12f9ba5cd332680efd4c305b5efe35bea9e259fb
parent 1f119ee6542ca119eadb5b0a4a9689583dc50b38

Prevent OOB write in phNxpNciHal_write_ext

Bug: 139733543
Test: manual
Merged-In: I37024e155278ca10ec1af41885e6627352f0db14
Change-Id: I37024e155278ca10ec1af41885e6627352f0db14

halimpl/hal/phNxpNciHal_ext.cc

diff --git a/halimpl/hal/phNxpNciHal_ext.cc b/halimpl/hal/phNxpNciHal_ext.cc
index 7908141..a9d0deb 100755
--- a/halimpl/hal/phNxpNciHal_ext.cc
+++ b/halimpl/hal/phNxpNciHal_ext.cc
@@ -664,7 +664,8 @@
     }
   }
 
-  if (retval == 0x01 && p_cmd_data[0] == 0x21 && p_cmd_data[1] == 0x00) {
+  if (*cmd_len <= (NCI_MAX_DATA_LEN - 3) &&
+      retval == 0x01 && p_cmd_data[0] == 0x21 && p_cmd_data[1] == 0x00) {
     NXPLOG_NCIHAL_D("Going through extns - Adding Mifare in RF Discovery");
     p_cmd_data[2] += 3;
     p_cmd_data[3] += 1;
@@ -774,7 +775,8 @@
     phNxpNciHal_print_packet("RECV", p_rsp_data, 5);
     //        status = NFCSTATUS_FAILED;
     NXPLOG_NCIHAL_D("> Going through workaround - Dirty Set Config - End ");
-  } else if (p_cmd_data[0] == 0x21 && p_cmd_data[1] == 0x00) {
+  } else if (*cmd_len <= (NCI_MAX_DATA_LEN - 3) &&
+             p_cmd_data[0] == 0x21 && p_cmd_data[1] == 0x00) {
     NXPLOG_NCIHAL_D(
         "> Going through workaround - Add Mifare Classic in Discovery Map");
     p_cmd_data[*cmd_len] = 0x80;