Merge "Prevent OOB read in ce_t4t_process_select_file_cmd" into qt-qpr1-dev

commit: a705221ae525ec5d1935659db2daf4ff886fb818 [log] [tgz]
author: George Chang <georgekgchang@google.com> Thu Feb 13 11:25:37 2020 +0000
committer: Android (Google) Code Review <android-gerrit@google.com> Thu Feb 13 11:25:37 2020 +0000
tree: 3286a222ddf6b6b52972d00d15e5609ef23b3d6d
parent: 734e0a137925444f9ba5e02f743770debb034f1c [diff]
parent: 320e762a3da100b9f3fa17d0ae1b4a6641bdcce8 [diff]
diff --git a/src/nfc/tags/ce_t4t.cc b/src/nfc/tags/ce_t4t.cc
index c8a6251..691ac05 100644
--- a/src/nfc/tags/ce_t4t.cc
+++ b/src/nfc/tags/ce_t4t.cc

@@ -645,6 +645,13 @@
     if (instruct == T4T_CMD_INS_SELECT) {
       /* P1 Byte is already parsed */
       if (select_type == T4T_CMD_P1_SELECT_BY_FILE_ID) {
+        /* CLA+INS+P1+P2+Lc+FILE_ID = T4T_CMD_MAX_HDR_SIZE + T4T_FILE_ID_SIZE */
+        if (p_c_apdu->len < (T4T_CMD_MAX_HDR_SIZE + T4T_FILE_ID_SIZE)) {
+          LOG(ERROR) << "Wrong length";
+          GKI_freebuf(p_c_apdu);
+          ce_t4t_send_status(T4T_RSP_WRONG_LENGTH);
+          return;
+        }
         ce_t4t_process_select_file_cmd(p_cmd);
       } else {
         LOG(ERROR) << StringPrintf("CET4T: Bad P1 byte (0x%02X)", select_type);
commit	a705221ae525ec5d1935659db2daf4ff886fb818	[log] [tgz]
author	George Chang <georgekgchang@google.com>	Thu Feb 13 11:25:37 2020 +0000
committer	Android (Google) Code Review <android-gerrit@google.com>	Thu Feb 13 11:25:37 2020 +0000
tree	3286a222ddf6b6b52972d00d15e5609ef23b3d6d
parent	734e0a137925444f9ba5e02f743770debb034f1c [diff]
parent	320e762a3da100b9f3fa17d0ae1b4a6641bdcce8 [diff]