The length of a packet should be non-zero am: 396ac0e081 am: 6e2338cb88 am: 653f2de33b am: 84c29af749 am: 38d8d7496e am: eba32e8624 am: a8e03966e0 am: 49af624822
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/nfc/+/19504916
Change-Id: I4bded8f7e93aa4f34f7b23edd0377a288eed6428
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
diff --git a/rustfmt.toml b/rustfmt.toml
deleted file mode 100644
index 617d425..0000000
--- a/rustfmt.toml
+++ /dev/null
@@ -1,5 +0,0 @@
-# Android Format Style
-
-edition = "2018"
-use_small_heuristics = "Max"
-newline_style = "Unix"
diff --git a/rustfmt.toml b/rustfmt.toml
new file mode 120000
index 0000000..ee92d9e
--- /dev/null
+++ b/rustfmt.toml
@@ -0,0 +1 @@
+../../build/soong/scripts/rustfmt.toml
\ No newline at end of file
diff --git a/src/fuzzers/integration/nfc_integration_fuzzer_impl.cc b/src/fuzzers/integration/nfc_integration_fuzzer_impl.cc
index 2e2e8a2..2a5aae6 100644
--- a/src/fuzzers/integration/nfc_integration_fuzzer_impl.cc
+++ b/src/fuzzers/integration/nfc_integration_fuzzer_impl.cc
@@ -12,14 +12,23 @@
#include "nfc_api.h"
#include "nfc_int.h"
#include "nfc_task_helpers.h"
+#include "rw_int.h"
extern uint32_t g_tick_count;
+extern tRW_CB rw_cb;
FuzzedDataProvider* g_fuzzed_data;
static bool g_saw_event = false;
static tNFA_EE_DISCOVER_REQ g_ee_info;
+void fuzz_cback(tRW_EVENT event, tRW_DATA *p_rw_data) {
+ (void)event;
+ (void)p_rw_data;
+}
+constexpr int32_t kMaxFramesSize =
+ USHRT_MAX - NFC_HDR_SIZE - NCI_MSG_OFFSET_SIZE - NCI_DATA_HDR_SIZE - 3;
+
static void nfa_dm_callback(uint8_t event, tNFA_DM_CBACK_DATA*) {
g_saw_event = true;
LOG(INFO) << android::base::StringPrintf("nfa_dm_callback got event %d",
@@ -301,7 +310,9 @@
std::vector<uint8_t> frame(
command.send_raw_frame().data(),
command.send_raw_frame().data() + command.send_raw_frame().size());
- NFA_SendRawFrame(frame.data(), frame.size(),
+ uint16_t frameSize =
+ frame.size() <= kMaxFramesSize ? frame.size() : kMaxFramesSize;
+ NFA_SendRawFrame(frame.data(), frameSize,
/*presence check start delay*/ 0);
break;
}
@@ -501,6 +512,7 @@
memset(&g_ee_info, 0, sizeof(g_ee_info));
NFA_Init(&fuzzed_hal_entry);
+ rw_cb.p_cback = &fuzz_cback;
NFA_Enable(nfa_dm_callback, nfa_conn_callback);
DoAllTasks(false);
diff --git a/src/fuzzers/nci/stubs.cc b/src/fuzzers/nci/stubs.cc
index 250669c..ac5519a 100644
--- a/src/fuzzers/nci/stubs.cc
+++ b/src/fuzzers/nci/stubs.cc
@@ -25,6 +25,7 @@
void rw_t4t_handle_isodep_nak_rsp(uint8_t, bool) {}
+void rw_t3t_handle_nci_poll_rsp(uint8_t) {}
void rw_t3t_handle_nci_poll_ntf(uint8_t nci_status, uint8_t num_responses,
uint8_t sensf_res_buf_size,
uint8_t* p_sensf_res_buf) {
diff --git a/src/gki/common/gki_time.cc b/src/gki/common/gki_time.cc
index ff7ee2f..7dce1d4 100644
--- a/src/gki/common/gki_time.cc
+++ b/src/gki/common/gki_time.cc
@@ -911,6 +911,9 @@
break;
}
}
+ /* Recovering from unexpected state.
+ e.g. when TIMER_LIST_ENT is cleared before stop */
+ if (p_timer_listq->last_ticks) p_timer_listq->last_ticks = 0;
}
return;
diff --git a/src/nfa/rw/nfa_rw_act.cc b/src/nfa/rw/nfa_rw_act.cc
index 4721b68..598944a 100644
--- a/src/nfa/rw/nfa_rw_act.cc
+++ b/src/nfa/rw/nfa_rw_act.cc
@@ -2368,7 +2368,7 @@
case NFA_RW_OP_I93_STAY_QUIET:
i93_command = I93_CMD_STAY_QUIET;
- status = RW_I93StayQuiet(p_data->op_req.params.i93_cmd.p_data);
+ status = RW_I93StayQuiet(p_data->op_req.params.i93_cmd.uid);
break;
case NFA_RW_OP_I93_READ_SINGLE_BLOCK:
diff --git a/src/nfa/rw/nfa_rw_api.cc b/src/nfa/rw/nfa_rw_api.cc
index 0e7a98e..cc7c7b6 100644
--- a/src/nfa/rw/nfa_rw_api.cc
+++ b/src/nfa/rw/nfa_rw_api.cc
@@ -930,8 +930,8 @@
/* Fill in tNFA_RW_OPERATION struct */
p_msg->hdr.event = NFA_RW_OP_REQUEST_EVT;
p_msg->op = NFA_RW_OP_I93_STAY_QUIET;
- p_msg->params.i93_cmd.p_data = (uint8_t*)(p_msg + 1);
- memcpy(p_msg->params.i93_cmd.p_data, p_uid, I93_UID_BYTE_LEN);
+ p_msg->params.i93_cmd.uid_present = true;
+ memcpy(p_msg->params.i93_cmd.uid, p_uid, I93_UID_BYTE_LEN);
nfa_sys_sendmsg(p_msg);
diff --git a/src/nfc/include/nfc_int.h b/src/nfc/include/nfc_int.h
index 5ecc879..6af43fd 100644
--- a/src/nfc/include/nfc_int.h
+++ b/src/nfc/include/nfc_int.h
@@ -282,6 +282,7 @@
extern void nfc_ncif_proc_conn_create_rsp(uint8_t* p, uint16_t plen,
uint8_t dest_type);
extern void nfc_ncif_report_conn_close_evt(uint8_t conn_id, tNFC_STATUS status);
+extern void nfc_ncif_proc_t3t_polling_rsp(uint8_t status);
extern void nfc_ncif_proc_t3t_polling_ntf(uint8_t* p, uint16_t plen);
extern void nfc_ncif_proc_reset_rsp(uint8_t* p, bool is_ntf);
extern void nfc_ncif_proc_init_rsp(NFC_HDR* p_msg);
diff --git a/src/nfc/include/rw_int.h b/src/nfc/include/rw_int.h
index e25f48e..c07daa2 100644
--- a/src/nfc/include/rw_int.h
+++ b/src/nfc/include/rw_int.h
@@ -895,6 +895,7 @@
extern void rw_t3t_process_timeout(TIMER_LIST_ENT* p_tle);
extern tNFC_STATUS rw_t3t_select(uint8_t peer_nfcid2[NCI_RF_F_UID_LEN],
uint8_t mrti_check, uint8_t mrti_update);
+void rw_t3t_handle_nci_poll_rsp(uint8_t nci_status);
void rw_t3t_handle_nci_poll_ntf(uint8_t nci_status, uint8_t num_responses,
uint8_t sensf_res_buf_size,
uint8_t* p_sensf_res_buf);
diff --git a/src/nfc/nci/nci_hrcv.cc b/src/nfc/nci/nci_hrcv.cc
index 34d8573..2338f09 100644
--- a/src/nfc/nci/nci_hrcv.cc
+++ b/src/nfc/nci/nci_hrcv.cc
@@ -188,6 +188,7 @@
break;
case NCI_MSG_RF_T3T_POLLING:
+ nfc_ncif_proc_t3t_polling_rsp(*pp);
break;
case NCI_MSG_RF_DISCOVER_MAP:
diff --git a/src/nfc/nfc/nfc_ncif.cc b/src/nfc/nfc/nfc_ncif.cc
index 47d00de..32b3f02 100644
--- a/src/nfc/nfc/nfc_ncif.cc
+++ b/src/nfc/nfc/nfc_ncif.cc
@@ -838,6 +838,15 @@
} else if (NCI_DISCOVERY_TYPE_POLL_ACTIVE == p_param->mode) {
acm_p = &p_param->param.acm_p;
+ /* Skip RF Tech Specific Parametres +
+ * Skip RF Technology mode, Tx , Rx baud rate & length params
+ * Byte 1 Byte 2 Byte 3 Byte 4
+ * Tech and Mode Tx BR Rx BR Length of Act Param
+ */
+ p = p + len + 3;
+ plen = *p++;
+ LOG(INFO) << StringPrintf(
+ "RF Tech Specific Params, plen: 0x%x, atr_res_len: 0x%x", plen, *p);
if (plen < 1) {
goto invalid_packet;
}
@@ -1788,6 +1797,19 @@
/*******************************************************************************
**
+** Function nfc_ncif_proc_t3t_polling_rsp
+**
+** Description Handle NCI_MSG_RF_T3T_POLLING RSP
+**
+** Returns void
+**
+*******************************************************************************/
+void nfc_ncif_proc_t3t_polling_rsp(uint8_t status) {
+ rw_t3t_handle_nci_poll_rsp(status);
+}
+
+/*******************************************************************************
+**
** Function nfc_ncif_proc_t3t_polling_ntf
**
** Description Handle NCI_MSG_RF_T3T_POLLING NTF
diff --git a/src/nfc/tags/rw_i93.cc b/src/nfc/tags/rw_i93.cc
index 2b246e8..1aa5836 100644
--- a/src/nfc/tags/rw_i93.cc
+++ b/src/nfc/tags/rw_i93.cc
@@ -3087,7 +3087,10 @@
if (rw_cb.p_cback) {
rw_data.status = status;
-
+ if ((NFC_STATUS_TIMEOUT == rw_data.status) &&
+ (p_i93->sent_cmd != I93_CMD_STAY_QUIET)) {
+ p_i93->state = RW_I93_STATE_IDLE;
+ }
switch (p_i93->state) {
case RW_I93_STATE_IDLE: /* in case of RawFrame */
event = RW_I93_INTF_ERROR_EVT;
diff --git a/src/nfc/tags/rw_t2t_ndef.cc b/src/nfc/tags/rw_t2t_ndef.cc
index 74453fd..cc620e0 100644
--- a/src/nfc/tags/rw_t2t_ndef.cc
+++ b/src/nfc/tags/rw_t2t_ndef.cc
@@ -598,6 +598,8 @@
} else {
LOG(ERROR) << StringPrintf("Underflow p_t2t->bytes_count!");
android_errorWriteLog(0x534e4554, "120506143");
+ failed = true;
+ break;
}
if ((tlvtype == TAG_LOCK_CTRL_TLV) || (tlvtype == TAG_NDEF_TLV)) {
if (p_t2t->num_lockbytes > 0) {
@@ -662,6 +664,8 @@
} else {
LOG(ERROR) << StringPrintf("bytes_count underflow!");
android_errorWriteLog(0x534e4554, "120506143");
+ failed = true;
+ break;
}
if ((tlvtype == TAG_MEM_CTRL_TLV) || (tlvtype == TAG_NDEF_TLV)) {
p_t2t->tlv_value[2 - p_t2t->bytes_count] = p_data[offset];
@@ -705,6 +709,8 @@
} else {
LOG(ERROR) << StringPrintf("bytes_count underflow!");
android_errorWriteLog(0x534e4554, "120506143");
+ failed = true;
+ break;
}
if (tlvtype == TAG_PROPRIETARY_TLV) {
found = true;
@@ -718,6 +724,10 @@
}
offset++;
break;
+ default:
+ LOG(ERROR) << StringPrintf("Unknown p_t2t->substate=%d",
+ p_t2t->substate);
+ failed = true;
}
}
@@ -1966,7 +1976,7 @@
uint16_t offset_in_seg;
uint16_t block_boundary;
uint8_t num_internal_bytes;
- uint8_t num_bytes;
+ uint16_t num_bytes;
/* Prepare attr for the current segment */
memset(p_t2t->attr, 0, RW_T2T_SEGMENT_SIZE * sizeof(uint8_t));
diff --git a/src/nfc/tags/rw_t3t.cc b/src/nfc/tags/rw_t3t.cc
index 0e91498..2905e02 100644
--- a/src/nfc/tags/rw_t3t.cc
+++ b/src/nfc/tags/rw_t3t.cc
@@ -334,6 +334,25 @@
/*******************************************************************************
**
+** Function rw_t3t_handle_nci_poll_rsp
+**
+** Description Handle NCI_T3T_POLLING_RSP
+**
+** Returns none
+**
+*******************************************************************************/
+void rw_t3t_handle_nci_poll_rsp(uint8_t nci_status) {
+ if (nci_status != NFC_STATUS_OK) {
+ tRW_T3T_CB* p_cb = &rw_cb.tcb.t3t;
+ /* in case of STATUS_REJECTED or other errors, */
+ /* NFCC MAY NOT send RF_T3T_POLLING_NTF */
+ /* stop timer for poll response */
+ nfc_stop_quick_timer(&p_cb->poll_timer);
+ }
+}
+
+/*******************************************************************************
+**
** Function rw_t3t_handle_nci_poll_ntf
**
** Description Handle NCI_T3T_POLLING_NTF
diff --git a/src/nfc/tags/rw_t5t.cc b/src/nfc/tags/rw_t5t.cc
index 06df3c9..113a3d9 100644
--- a/src/nfc/tags/rw_t5t.cc
+++ b/src/nfc/tags/rw_t5t.cc
@@ -841,6 +841,11 @@
/* 2nd block to be locked can be the last 4 bytes of CC in case CC
* is 8byte long, then T5T_Area starts */
if (p_i93->rw_offset <= p_i93->t5t_area_last_offset) {
+ if (p_i93->block_size == 0) {
+ LOG(ERROR) << StringPrintf("%s - zero block_size error", __func__);
+ rw_i93_handle_error(NFC_STATUS_FAILED);
+ break;
+ }
/* get the next block of NDEF TLV */
block_number = (uint16_t)(p_i93->rw_offset / p_i93->block_size);
