Prevent OOB read in rw_t3t_update_block()
Test: NFC enable/disable
Bug: 120506143
Bug: 120497437
Bug: 120497583
Merged-In: I839333505a253788e43a48a61eb7a646328c7fec
Change-Id: I839333505a253788e43a48a61eb7a646328c7fec
(cherry picked from commit 70ba0e5823b233d6bac37913f6ef86295438b5ff)
diff --git a/src/nfc/tags/rw_t3t.c b/src/nfc/tags/rw_t3t.c
index 817901d..f74ce04 100644
--- a/src/nfc/tags/rw_t3t.c
+++ b/src/nfc/tags/rw_t3t.c
@@ -22,7 +22,9 @@
* mode.
*
******************************************************************************/
+#include <log/log.h>
#include <string.h>
+
#include "bt_types.h"
#include "nfc_target.h"
#include "trace_api.h"
@@ -1848,6 +1850,10 @@
NCI_NFCID2_LEN) != 0)) /* verify response IDm */
{
evt_data.status = NFC_STATUS_FAILED;
+ } else if (p_msg_rsp->len <
+ (T3T_MSG_RSP_OFFSET_CHECK_DATA + T3T_MSG_BLOCKSIZE)) {
+ evt_data.status = NFC_STATUS_FAILED;
+ android_errorWriteLog(0x534e4554, "120506143");
} else {
/* Check if memory configuration (MC) block to see if SYS_OP=1 (NDEF
* enabled) */
@@ -2061,16 +2067,18 @@
NCI_NFCID2_LEN) != 0)) /* verify response IDm */
{
evt_data.status = NFC_STATUS_FAILED;
+ } else if (p_msg_rsp->len <
+ (T3T_MSG_RSP_OFFSET_CHECK_DATA + T3T_MSG_BLOCKSIZE)) {
+ evt_data.status = NFC_STATUS_FAILED;
+ android_errorWriteLog(0x534e4554, "120506143");
} else {
/* Check if memory configuration (MC) block to see if SYS_OP=1 (NDEF
* enabled) */
p_mc = &p_t3t_rsp[T3T_MSG_RSP_OFFSET_CHECK_DATA]; /* Point to MC data of
CHECK response */
- if (p_mc[T3T_MSG_FELICALITE_MC_OFFSET_SYS_OP] != 0x01) {
- /* Tag is not currently enabled for NDEF */
- evt_data.status = NFC_STATUS_FAILED;
- } else {
+ evt_data.status = NFC_STATUS_FAILED;
+ if (p_mc[T3T_MSG_FELICALITE_MC_OFFSET_SYS_OP] == 0x01) {
/* Set MC_SP field with MC[0] = 0x00 & MC[1] = 0xC0 (Hardlock) to change
* access permission from RW to RO */
p_mc[T3T_MSG_FELICALITE_MC_OFFSET_MC_SP] = 0x00;