[automerger skipped] OOB write in rw_t2t_handle_tlv_detect_rsp am: 975d2564e7 am: 0968938bef am: f489188394 -s ours am: 77c05d2e9d -s ours am: b661207e6f -s ours
am skip reason: Change-Id I44a3f26afb3591d1a94e2e0d7a8b1619beeaa7d6 with SHA-1 5fbc3a8889 is in history
Change-Id: I1d094db072ad2e3df250d7f81fb9a61ec70bfcca
diff --git a/src/nfa/dm/nfa_dm_discover.cc b/src/nfa/dm/nfa_dm_discover.cc
index 3414c91..8e5cd5c 100644
--- a/src/nfa/dm/nfa_dm_discover.cc
+++ b/src/nfa/dm/nfa_dm_discover.cc
@@ -76,7 +76,6 @@
static nfa_dm_p2p_prio_logic_t p2p_prio_logic_data;
-static void nfa_dm_send_tag_deselect_cmd(tNFA_NFC_PROTOCOL protocol);
/*******************************************************************************
**
@@ -2139,14 +2138,6 @@
switch (event) {
case NFA_DM_RF_DEACTIVATE_CMD:
- if (NFC_GetNCIVersion() == NCI_VERSION_2_0) {
- if ((nfa_dm_cb.disc_cb.activated_rf_interface == NFC_INTERFACE_FRAME) &&
- (p_data->deactivate_type == NFC_DEACTIVATE_TYPE_SLEEP)) {
- /* NCI 2.0- DH is responsible for sending deactivation commands before
- * RF_DEACTIVATE_CMD */
- nfa_dm_send_tag_deselect_cmd(nfa_dm_cb.disc_cb.activated_protocol);
- }
- }
if (nfa_dm_cb.disc_cb.activated_protocol == NCI_PROTOCOL_MIFARE) {
nfa_dm_cb.disc_cb.deact_pending = true;
@@ -2201,6 +2192,9 @@
}
if (p_data->nfc_discover.deactivate.reason !=
NFC_DEACTIVATE_REASON_DH_REQ_FAILED) {
+ /* count for number of times deactivate cmd sent */
+ nfa_dm_cb.deactivate_cmd_retry_count = 0;
+
sleep_wakeup_event = true;
nfa_dm_disc_notify_deactivation(NFA_DM_RF_DEACTIVATE_NTF,
&(p_data->nfc_discover));
@@ -2210,8 +2204,7 @@
NFC_DEACTIVATE_TYPE_SLEEP_AF)) {
if (p_data->nfc_discover.deactivate.reason !=
NFC_DEACTIVATE_REASON_DH_REQ_FAILED) {
- /* count for number of times deactivate cmd sent */
- nfa_dm_cb.deactivate_cmd_retry_count = 0;
+
nfa_dm_disc_new_state(NFA_DM_RFST_W4_HOST_SELECT);
}
if (old_sleep_wakeup_flag) {
@@ -2246,7 +2239,6 @@
(!nfa_dm_cb.disc_cb.deact_pending)) {
nfa_dm_send_deactivate_cmd(NFA_DEACTIVATE_TYPE_DISCOVERY);
}
- nfa_dm_cb.deactivate_cmd_retry_count = 0;
} else {
nfa_dm_cb.deactivate_cmd_retry_count++;
nfa_dm_send_deactivate_cmd(p_data->nfc_discover.deactivate.type);
@@ -2259,6 +2251,24 @@
} else if (p_data->nfc_discover.deactivate.type ==
NFC_DEACTIVATE_TYPE_DISCOVERY) {
nfa_dm_disc_new_state(NFA_DM_RFST_DISCOVERY);
+ /* if deactivation type is discovery and comes after 3 tentatives of
+ * unsuccessful deactivation to sleep then reset the counter and notify
+ * upper layer.
+ *
+ */
+ if (nfa_dm_cb.deactivate_cmd_retry_count == 3) {
+ nfa_dm_cb.deactivate_cmd_retry_count = 0;
+ DLOG_IF(INFO, nfc_debug_enabled)
+ << __func__
+ << StringPrintf(
+ " NFA_DM_RF_DEACTIVATE_NTF to discovery after 3 attempt "
+ "of deactivate (sleep)");
+ if (p_data->nfc_discover.deactivate.reason ==
+ NFC_DEACTIVATE_REASON_DH_REQ_FAILED) {
+ nfa_dm_disc_notify_deactivation(NFA_DM_RF_DEACTIVATE_NTF,
+ &(p_data->nfc_discover));
+ }
+ }
if (nfa_dm_cb.disc_cb.disc_flags & NFA_DM_DISC_FLAGS_STOPPING) {
/* stop discovery */
NFC_Deactivate(NFA_DEACTIVATE_TYPE_IDLE);
@@ -3056,40 +3066,3 @@
memset(&p2p_prio_logic_data, 0x00, sizeof(nfa_dm_p2p_prio_logic_t));
}
-/*******************************************************************************
-**
-** Function nfa_dm_send_tag_deselect_cmd
-**
-** Description Send command to send tag in sleep state
-**
-** Returns void
-**
-*******************************************************************************/
-static void nfa_dm_send_tag_deselect_cmd(tNFA_NFC_PROTOCOL protocol) {
- NFC_HDR* p_msg;
- uint8_t* p;
-
- DLOG_IF(INFO, nfc_debug_enabled)
- << StringPrintf("nfa_dm_send_tag_deselect_cmd");
- p_msg = (NFC_HDR*)GKI_getpoolbuf(NFC_RW_POOL_ID);
-
- if (p_msg) {
- if (protocol == NFC_PROTOCOL_ISO_DEP) {
- /* send one byte of 0xc2 as as deselect command to Tag */
- p_msg->len = 1;
- p_msg->offset = NCI_MSG_OFFSET_SIZE + NCI_DATA_HDR_SIZE;
- p = (uint8_t*)(p_msg + 1) + p_msg->offset;
- *p = NFA_RW_TAG_DESELECT_CMD;
- } else if (protocol == NFC_PROTOCOL_T2T) {
- p_msg->len = NFA_RW_TAG_SLP_REQ_LEN;
- p_msg->offset = NCI_MSG_OFFSET_SIZE + NCI_DATA_HDR_SIZE;
- p = (uint8_t*)(p_msg + 1) + p_msg->offset;
- memcpy((uint8_t*)(p_msg + 1) + p_msg->offset, NFA_RW_TAG_SLP_REQ,
- p_msg->len);
- } else {
- GKI_freebuf(p_msg);
- return;
- }
- NFC_SendData(NFC_RF_CONN_ID, p_msg);
- }
-}
diff --git a/src/nfa/hci/nfa_hci_act.cc b/src/nfa/hci/nfa_hci_act.cc
index 4ad9754..fbc4fbf 100644
--- a/src/nfa/hci/nfa_hci_act.cc
+++ b/src/nfa/hci/nfa_hci_act.cc
@@ -1413,7 +1413,7 @@
/* Something wrong, NVRAM data could be corrupt or first start with
* default session id */
nfa_hciu_send_clear_all_pipe_cmd();
- nfa_hci_cb.b_hci_netwk_reset = true;
+ nfa_hci_cb.b_hci_new_sessionId = true;
if (data_len < NFA_HCI_SESSION_ID_LEN) {
android_errorWriteLog(0x534e4554, "124524315");
}
@@ -1423,9 +1423,15 @@
case NFA_HCI_ANY_OPEN_PIPE:
nfa_hci_cb.cfg.admin_gate.pipe01_state = NFA_HCI_PIPE_OPENED;
-
if (nfa_hci_cb.b_hci_netwk_reset) {
+ /* Something wrong, NVRAM data could be corrupt or first start with
+ * default session id */
+ nfa_hciu_send_clear_all_pipe_cmd();
nfa_hci_cb.b_hci_netwk_reset = false;
+ nfa_hci_cb.b_hci_new_sessionId = true;
+ } else if (nfa_hci_cb.b_hci_new_sessionId) {
+ nfa_hci_cb.b_hci_new_sessionId = false;
+
/* Session ID is reset, Set New session id */
memcpy(
&nfa_hci_cb.cfg.admin_gate.session_id[NFA_HCI_SESSION_ID_LEN / 2],
diff --git a/src/nfa/hci/nfa_hci_utils.cc b/src/nfa/hci/nfa_hci_utils.cc
index d64fe6c..1751af3 100644
--- a/src/nfa/hci/nfa_hci_utils.cc
+++ b/src/nfa/hci/nfa_hci_utils.cc
@@ -25,6 +25,7 @@
#include <android-base/stringprintf.h>
#include <base/logging.h>
+#include <log/log.h>
#include "nfa_dm_int.h"
#include "nfa_hci_api.h"
@@ -305,8 +306,13 @@
bool first_pkt = true;
uint16_t data_len;
tNFA_STATUS status = NFA_STATUS_OK;
- uint16_t max_seg_hcp_pkt_size = nfa_hci_cb.buff_size - NCI_DATA_HDR_SIZE;
-
+ uint16_t max_seg_hcp_pkt_size;
+ if (nfa_hci_cb.buff_size > (NCI_DATA_HDR_SIZE + 2)) {
+ max_seg_hcp_pkt_size = nfa_hci_cb.buff_size - NCI_DATA_HDR_SIZE;
+ } else {
+ android_errorWriteLog(0x534e4554, "124521372");
+ return NFA_STATUS_NO_BUFFERS;
+ }
char buff[100];
DLOG_IF(INFO, nfc_debug_enabled) << StringPrintf(
@@ -349,8 +355,12 @@
memcpy(p_data, p_msg, data_len);
p_buf->len += data_len;
- msg_len -= data_len;
- if (msg_len > 0) p_msg += data_len;
+ if (msg_len >= data_len) {
+ msg_len -= data_len;
+ p_msg += data_len;
+ } else {
+ msg_len = 0;
+ }
}
if (HCI_LOOPBACK_DEBUG == NFA_HCI_DEBUG_ON)
diff --git a/src/nfa/include/nfa_hci_int.h b/src/nfa/include/nfa_hci_int.h
index 5d13f95..456c279 100644
--- a/src/nfa/include/nfa_hci_int.h
+++ b/src/nfa/include/nfa_hci_int.h
@@ -371,6 +371,7 @@
uint8_t active_host[NFA_HCI_MAX_HOST_IN_NETWORK];
uint8_t reset_host[NFA_HCI_MAX_HOST_IN_NETWORK]; /* List of host reseting */
bool b_low_power_mode; /* Host controller in low power mode */
+ bool b_hci_new_sessionId; /* Command sent to set a new session Id */
bool b_hci_netwk_reset; /* Command sent to reset HCI Network */
bool w4_hci_netwk_init; /* Wait for other host in network to initialize */
TIMER_LIST_ENT timer; /* Timer to avoid indefinitely waiting for response */
diff --git a/src/nfc/tags/rw_mfc.cc b/src/nfc/tags/rw_mfc.cc
index 0ae0c2f..22cfc35 100644
--- a/src/nfc/tags/rw_mfc.cc
+++ b/src/nfc/tags/rw_mfc.cc
@@ -1342,6 +1342,7 @@
tRW_DETECT_NDEF_DATA ndef_data;
DLOG_IF(INFO, nfc_debug_enabled) << __func__ << " State=" << p_mfc->state;
+ evt_data.status = NFC_STATUS_FAILED;
/* Retry sending command if retry-count < max */
if (rw_cb.cur_retry < RW_MAX_RETRIES) {
