Prevent information disclosure in rw_i93.cc
Bug: 143109193
Bug: 143155861
Bug: 143106535
Test: R/W i93 tags
Change-Id: I1d33d80760be986af9905304c17ce05cc0f9ce63
Exempt-From-Owner-Approval: get +2 from new owner
(cherry picked from commit 712dcda25084434ffd3e1e0df6c0f7e65441b7f1)
diff --git a/src/nfc/tags/rw_i93.cc b/src/nfc/tags/rw_i93.cc
index fbd7379..983eafa 100644
--- a/src/nfc/tags/rw_i93.cc
+++ b/src/nfc/tags/rw_i93.cc
@@ -2223,8 +2223,11 @@
block_number = (p_i93->ndef_tlv_start_offset + 1) / p_i93->block_size;
- if (rw_i93_send_cmd_write_single_block(block_number, p) ==
- NFC_STATUS_OK) {
+ if (length < p_i93->block_size) {
+ android_errorWriteLog(0x534e4554, "143109193");
+ rw_i93_handle_error(NFC_STATUS_FAILED);
+ } else if (rw_i93_send_cmd_write_single_block(block_number, p) ==
+ NFC_STATUS_OK) {
/* update next writing offset */
p_i93->rw_offset = (block_number + 1) * p_i93->block_size;
p_i93->sub_state = RW_I93_SUBSTATE_WRITE_NDEF;
@@ -2378,8 +2381,11 @@
block_number = (p_i93->rw_offset / p_i93->block_size);
- if (rw_i93_send_cmd_write_single_block(block_number, p) ==
- NFC_STATUS_OK) {
+ if (length < p_i93->block_size) {
+ android_errorWriteLog(0x534e4554, "143155861");
+ rw_i93_handle_error(NFC_STATUS_FAILED);
+ } else if (rw_i93_send_cmd_write_single_block(block_number, p) ==
+ NFC_STATUS_OK) {
/* set offset to the beginning of next block */
p_i93->rw_offset +=
p_i93->block_size - (p_i93->rw_offset % p_i93->block_size);
@@ -2800,7 +2806,10 @@
/* mark CC as read-only */
*(p + 1) |= I93_ICODE_CC_READ_ONLY;
- if (rw_i93_send_cmd_write_single_block(0, p) == NFC_STATUS_OK) {
+ if (length < p_i93->block_size) {
+ android_errorWriteLog(0x534e4554, "143106535");
+ rw_i93_handle_error(NFC_STATUS_FAILED);
+ } else if (rw_i93_send_cmd_write_single_block(0, p) == NFC_STATUS_OK) {
p_i93->sub_state = RW_I93_SUBSTATE_WAIT_UPDATE_CC;
} else {
rw_i93_handle_error(NFC_STATUS_FAILED);