OOB write in rw_t2t_handle_tlv_detect_rsp
Bug: 147309942
Bug: 147310271
Test: use proxmark as described in b/147309942
Change-Id: I44a3f26afb3591d1a94e2e0d7a8b1619beeaa7d6
Exempt-From-Owner-Approval: get +2 from new owner
diff --git a/src/nfc/tags/rw_t2t_ndef.cc b/src/nfc/tags/rw_t2t_ndef.cc
index c18c685..f2877c0 100644
--- a/src/nfc/tags/rw_t2t_ndef.cc
+++ b/src/nfc/tags/rw_t2t_ndef.cc
@@ -601,6 +601,12 @@
android_errorWriteLog(0x534e4554, "120506143");
}
if ((tlvtype == TAG_LOCK_CTRL_TLV) || (tlvtype == TAG_NDEF_TLV)) {
+ if (p_t2t->num_lockbytes > 0) {
+ LOG(ERROR) << StringPrintf("Malformed tag!");
+ android_errorWriteLog(0x534e4554, "147309942");
+ failed = true;
+ break;
+ }
/* Collect Lock TLV */
p_t2t->tlv_value[2 - p_t2t->bytes_count] = p_data[offset];
if (p_t2t->bytes_count == 0) {