Prevent OOB in rw_i93.cc
Bug: 139188579
Test: Read/Write/Lock Type 5 Tag
Change-Id: Ife24f097c926184019038e559cbd806b289911c6
Exempt-From-Owner-Approval: Old Owners are all transferred to another BU
(cherry picked from commit 4025e2b929905f9b751f3612a6ee26cd5e599417)
diff --git a/src/nfc/tags/rw_i93.cc b/src/nfc/tags/rw_i93.cc
index 46f2bc8..495ee8f 100644
--- a/src/nfc/tags/rw_i93.cc
+++ b/src/nfc/tags/rw_i93.cc
@@ -50,6 +50,8 @@
#define RW_I93_FORMAT_DATA_LEN 8
/* max getting lock status if get multi block sec is supported */
#define RW_I93_GET_MULTI_BLOCK_SEC_SIZE 253
+/*Capability Container CC Size */
+#define RW_I93_CC_SIZE 4
/* main state */
enum {
@@ -1743,8 +1745,14 @@
case RW_I93_SUBSTATE_WAIT_CC:
- /* assume block size is more than 4 */
- STREAM_TO_ARRAY(cc, p, 4);
+ if (length < RW_I93_CC_SIZE) {
+ android_errorWriteLog(0x534e4554, "139188579");
+ rw_i93_handle_error(NFC_STATUS_FAILED);
+ return;
+ }
+
+ /* assume block size is more than RW_I93_CC_SIZE 4 */
+ STREAM_TO_ARRAY(cc, p, RW_I93_CC_SIZE);
status = NFC_STATUS_FAILED;
@@ -2798,6 +2806,12 @@
switch (p_i93->sub_state) {
case RW_I93_SUBSTATE_WAIT_CC:
+ if (length < RW_I93_CC_SIZE) {
+ android_errorWriteLog(0x534e4554, "139188579");
+ rw_i93_handle_error(NFC_STATUS_FAILED);
+ return;
+ }
+
/* mark CC as read-only */
*(p + 1) |= I93_ICODE_CC_READ_ONLY;