Prevent OOB in rw_i93.cc
Bug: 139188579
Test: Read/Write/Lock Type 5 Tag
Change-Id: Ife24f097c926184019038e559cbd806b289911c6
Exempt-From-Owner-Approval: Old Owners are all transferred to another BU
diff --git a/src/nfc/tags/rw_i93.cc b/src/nfc/tags/rw_i93.cc
index a8e095c..428bdae 100644
--- a/src/nfc/tags/rw_i93.cc
+++ b/src/nfc/tags/rw_i93.cc
@@ -51,6 +51,8 @@
#define RW_I93_FORMAT_DATA_LEN 8
/* max getting lock status if get multi block sec is supported */
#define RW_I93_GET_MULTI_BLOCK_SEC_SIZE 253
+/*Capability Container CC Size */
+#define RW_I93_CC_SIZE 4
/* main state */
enum {
@@ -1734,8 +1736,14 @@
case RW_I93_SUBSTATE_WAIT_CC:
- /* assume block size is more than 4 */
- STREAM_TO_ARRAY(cc, p, 4);
+ if (length < RW_I93_CC_SIZE) {
+ android_errorWriteLog(0x534e4554, "139188579");
+ rw_i93_handle_error(NFC_STATUS_FAILED);
+ return;
+ }
+
+ /* assume block size is more than RW_I93_CC_SIZE 4 */
+ STREAM_TO_ARRAY(cc, p, RW_I93_CC_SIZE);
status = NFC_STATUS_FAILED;
@@ -2775,6 +2783,12 @@
switch (p_i93->sub_state) {
case RW_I93_SUBSTATE_WAIT_CC:
+ if (length < RW_I93_CC_SIZE) {
+ android_errorWriteLog(0x534e4554, "139188579");
+ rw_i93_handle_error(NFC_STATUS_FAILED);
+ return;
+ }
+
/* mark CC as read-only */
*(p + 1) |= I93_ICODE_CC_READ_ONLY;