Prevent OOB read in rw_t3t_update_block()
Test: NFC enable/disable
Bug: 120506143
Bug: 120497437
Bug: 120497583
Change-Id: I839333505a253788e43a48a61eb7a646328c7fec
(cherry picked from commit 3652c138153fe5ceba3520495b384c6ae14a9286)
diff --git a/src/nfc/tags/rw_t3t.cc b/src/nfc/tags/rw_t3t.cc
index e278900..45321e5 100644
--- a/src/nfc/tags/rw_t3t.cc
+++ b/src/nfc/tags/rw_t3t.cc
@@ -26,6 +26,7 @@
#include <android-base/stringprintf.h>
#include <base/logging.h>
+#include <log/log.h>
#include "nfc_target.h"
@@ -1839,6 +1840,10 @@
NCI_NFCID2_LEN) != 0)) /* verify response IDm */
{
evt_data.status = NFC_STATUS_FAILED;
+ } else if (p_msg_rsp->len <
+ (T3T_MSG_RSP_OFFSET_CHECK_DATA + T3T_MSG_BLOCKSIZE)) {
+ evt_data.status = NFC_STATUS_FAILED;
+ android_errorWriteLog(0x534e4554, "120506143");
} else {
/* Check if memory configuration (MC) block to see if SYS_OP=1 (NDEF
* enabled) */
@@ -2050,16 +2055,18 @@
NCI_NFCID2_LEN) != 0)) /* verify response IDm */
{
evt_data.status = NFC_STATUS_FAILED;
+ } else if (p_msg_rsp->len <
+ (T3T_MSG_RSP_OFFSET_CHECK_DATA + T3T_MSG_BLOCKSIZE)) {
+ evt_data.status = NFC_STATUS_FAILED;
+ android_errorWriteLog(0x534e4554, "120506143");
} else {
/* Check if memory configuration (MC) block to see if SYS_OP=1 (NDEF
* enabled) */
p_mc = &p_t3t_rsp[T3T_MSG_RSP_OFFSET_CHECK_DATA]; /* Point to MC data of
CHECK response */
- if (p_mc[T3T_MSG_FELICALITE_MC_OFFSET_SYS_OP] != 0x01) {
- /* Tag is not currently enabled for NDEF */
- evt_data.status = NFC_STATUS_FAILED;
- } else {
+ evt_data.status = NFC_STATUS_FAILED;
+ if (p_mc[T3T_MSG_FELICALITE_MC_OFFSET_SYS_OP] == 0x01) {
/* Set MC_SP field with MC[0] = 0x00 & MC[1] = 0xC0 (Hardlock) to change
* access permission from RW to RO */
p_mc[T3T_MSG_FELICALITE_MC_OFFSET_MC_SP] = 0x00;