commit 9590e00a52dfd0f59e3ed19987d1db9562b0477d
author George Chang <georgekgchang@google.com> Wed Oct 24 20:50:02 2018 +0800
committer George Chang <georgekgchang@google.com> Fri Nov 02 11:44:25 2018 +0800
tree f1bc7f44c0dbcfda51e6d102670fac4244ae2ea9
parent 53e290d9e62ecb9e1ef1a2461055c0685dc9d6c4

Prevent Out of bounds read/write in nfc_ncif_set_config_status

Test: Nfc Enable/Disable; Android Beam; Tag reading
Bug: 114047681
Merged-In: Iaba48380879373a4807a9d50634f4f40be97ef81
Change-Id: Iaba48380879373a4807a9d50634f4f40be97ef81
(cherry picked from commit 74cf5266c1bb9ee064cbc7e2544909d5d001e429)

src/nfc/nfc/nfc_ncif.c

diff --git a/src/nfc/nfc/nfc_ncif.c b/src/nfc/nfc/nfc_ncif.c
index a961bfe..551a816 100644
--- a/src/nfc/nfc/nfc_ncif.c
+++ b/src/nfc/nfc/nfc_ncif.c
@@ -23,6 +23,7 @@
  *  (callback). On the transmit side, it manages the command transmission.
  *
  ******************************************************************************/
+#include <log/log.h>
 #include <stdlib.h>
 #include <string.h>
 #include "nfc_target.h"
@@ -442,14 +443,30 @@
 void nfc_ncif_set_config_status(uint8_t* p, uint8_t len) {
   tNFC_RESPONSE evt_data;
   if (nfc_cb.p_resp_cback) {
-    evt_data.set_config.status = (tNFC_STATUS)*p++;
-    evt_data.set_config.num_param_id = NFC_STATUS_OK;
-    if (evt_data.set_config.status != NFC_STATUS_OK) {
-      evt_data.set_config.num_param_id = *p++;
-      STREAM_TO_ARRAY(evt_data.set_config.param_ids, p,
-                      evt_data.set_config.num_param_id);
+    evt_data.set_config.num_param_id = 0;
+    if (len == 0) {
+      NFC_TRACE_ERROR0("Insufficient RSP length");
+      evt_data.set_config.status = NFC_STATUS_SYNTAX_ERROR;
+      (*nfc_cb.p_resp_cback)(NFC_SET_CONFIG_REVT, &evt_data);
+      return;
     }
-
+    evt_data.set_config.status = (tNFC_STATUS)*p++;
+    if (evt_data.set_config.status != NFC_STATUS_OK && len > 1) {
+      evt_data.set_config.num_param_id = *p++;
+      if (evt_data.set_config.num_param_id > NFC_MAX_NUM_IDS) {
+        android_errorWriteLog(0x534e4554, "114047681");
+        NFC_TRACE_ERROR1("OOB write num_param_id %d",
+                         evt_data.set_config.num_param_id);
+        evt_data.set_config.num_param_id = 0;
+      } else if (evt_data.set_config.num_param_id <= len - 2) {
+        STREAM_TO_ARRAY(evt_data.set_config.param_ids, p,
+                        evt_data.set_config.num_param_id);
+      } else {
+        NFC_TRACE_ERROR2("Insufficient RSP length %d,num_param_id %d", len,
+                         evt_data.set_config.num_param_id);
+        evt_data.set_config.num_param_id = 0;
+      }
+    }
     (*nfc_cb.p_resp_cback)(NFC_SET_CONFIG_REVT, &evt_data);
   }
 }