OOB Write in NFC stack when handling MIFARE Classic TLVs
Bug: 178725766
Test: build ok
Change-Id: I6b987168a552f286171dc610af691390853bc126
(cherry picked from commit 147b052f8456872081c18af85573eeb186c6efc2)
diff --git a/src/nfc/tags/rw_mfc.cc b/src/nfc/tags/rw_mfc.cc
index 27797ad..aaa5908 100644
--- a/src/nfc/tags/rw_mfc.cc
+++ b/src/nfc/tags/rw_mfc.cc
@@ -22,6 +22,7 @@
******************************************************************************/
#include <android-base/stringprintf.h>
#include <base/logging.h>
+#include <log/log.h>
#include <string.h>
#include "bt_types.h"
#include "nfc_target.h"
@@ -997,6 +998,7 @@
NFC_HDR* mfc_data;
uint16_t len;
uint16_t offset;
+ uint16_t saved_length;
bool failed = false;
bool done = false;
tRW_READ_DATA evt_data;
@@ -1018,6 +1020,7 @@
/* On the first read, adjust for any partial block offset */
offset = 0;
len = RW_MFC_1K_BLOCK_SIZE;
+ saved_length = p_mfc->ndef_length;
if (p_mfc->work_offset == 0) {
/* The Ndef Message offset may be present in the read 16 bytes */
@@ -1029,14 +1032,18 @@
}
}
- /* Skip all reserved and lock bytes */
- while ((offset < len) && (p_mfc->work_offset < p_mfc->ndef_length))
+ if (!failed && saved_length >= p_mfc->ndef_length) {
+ /* Skip all reserved and lock bytes */
+ while ((offset < len) && (p_mfc->work_offset < p_mfc->ndef_length))
- {
- /* Collect the NDEF Message */
- p_mfc->p_ndef_buffer[p_mfc->work_offset] = p[offset];
- p_mfc->work_offset++;
- offset++;
+ {
+ /* Collect the NDEF Message */
+ p_mfc->p_ndef_buffer[p_mfc->work_offset] = p[offset];
+ p_mfc->work_offset++;
+ offset++;
+ }
+ } else {
+ android_errorWriteLog(0x534e4554, "178725766");
}
if (p_mfc->work_offset >= p_mfc->ndef_length) {
