Prevent Out of bounds read/write in nfc_ncif_set_config_status
Test: Nfc Enable/Disable; Android Beam; Tag reading
Bug: 114047681
Merged-In: Iaba48380879373a4807a9d50634f4f40be97ef81
Change-Id: Iaba48380879373a4807a9d50634f4f40be97ef81
(cherry picked from commit 74cf5266c1bb9ee064cbc7e2544909d5d001e429)
diff --git a/src/nfc/nfc/nfc_ncif.c b/src/nfc/nfc/nfc_ncif.c
index a961bfe..551a816 100644
--- a/src/nfc/nfc/nfc_ncif.c
+++ b/src/nfc/nfc/nfc_ncif.c
@@ -23,6 +23,7 @@
* (callback). On the transmit side, it manages the command transmission.
*
******************************************************************************/
+#include <log/log.h>
#include <stdlib.h>
#include <string.h>
#include "nfc_target.h"
@@ -442,14 +443,30 @@
void nfc_ncif_set_config_status(uint8_t* p, uint8_t len) {
tNFC_RESPONSE evt_data;
if (nfc_cb.p_resp_cback) {
- evt_data.set_config.status = (tNFC_STATUS)*p++;
- evt_data.set_config.num_param_id = NFC_STATUS_OK;
- if (evt_data.set_config.status != NFC_STATUS_OK) {
- evt_data.set_config.num_param_id = *p++;
- STREAM_TO_ARRAY(evt_data.set_config.param_ids, p,
- evt_data.set_config.num_param_id);
+ evt_data.set_config.num_param_id = 0;
+ if (len == 0) {
+ NFC_TRACE_ERROR0("Insufficient RSP length");
+ evt_data.set_config.status = NFC_STATUS_SYNTAX_ERROR;
+ (*nfc_cb.p_resp_cback)(NFC_SET_CONFIG_REVT, &evt_data);
+ return;
}
-
+ evt_data.set_config.status = (tNFC_STATUS)*p++;
+ if (evt_data.set_config.status != NFC_STATUS_OK && len > 1) {
+ evt_data.set_config.num_param_id = *p++;
+ if (evt_data.set_config.num_param_id > NFC_MAX_NUM_IDS) {
+ android_errorWriteLog(0x534e4554, "114047681");
+ NFC_TRACE_ERROR1("OOB write num_param_id %d",
+ evt_data.set_config.num_param_id);
+ evt_data.set_config.num_param_id = 0;
+ } else if (evt_data.set_config.num_param_id <= len - 2) {
+ STREAM_TO_ARRAY(evt_data.set_config.param_ids, p,
+ evt_data.set_config.num_param_id);
+ } else {
+ NFC_TRACE_ERROR2("Insufficient RSP length %d,num_param_id %d", len,
+ evt_data.set_config.num_param_id);
+ evt_data.set_config.num_param_id = 0;
+ }
+ }
(*nfc_cb.p_resp_cback)(NFC_SET_CONFIG_REVT, &evt_data);
}
}