Merge cherrypicks of [5313290, 5313323, 5313343, 5313415, 5313291, 5313441, 5313557, 5313344, 5313383, 5313384, 5313324, 5313325, 5313326, 5313294, 5313295, 5313296, 5313498] into oc-m8-release

Change-Id: Icd4599b88fd93fd6b2f89bd831e3047930ef3822
diff --git a/src/nfc/llcp/llcp_link.c b/src/nfc/llcp/llcp_link.c
index 5fa6a41..e2d2387 100644
--- a/src/nfc/llcp/llcp_link.c
+++ b/src/nfc/llcp/llcp_link.c
@@ -1128,7 +1128,7 @@
   agf_length = p_agf->len;
   p = (uint8_t*)(p_agf + 1) + p_agf->offset;
 
-  while (agf_length > 0) {
+  while (agf_length >= LLCP_PDU_HEADER_SIZE) {
     /* get length of PDU */
     p_pdu_length = p;
     BE_STREAM_TO_UINT16(pdu_length, p);
diff --git a/src/nfc/llcp/llcp_util.c b/src/nfc/llcp/llcp_util.c
index afd5749..3b984e3 100644
--- a/src/nfc/llcp/llcp_util.c
+++ b/src/nfc/llcp/llcp_util.c
@@ -22,7 +22,9 @@
  *
  ******************************************************************************/
 
+#include <log/log.h>
 #include <string.h>
+
 #include "bt_types.h"
 #include "gki.h"
 #include "llcp_defs.h"
@@ -43,19 +45,33 @@
 bool llcp_util_parse_link_params(uint16_t length, uint8_t* p_bytes) {
   uint8_t param_type, param_len, *p = p_bytes;
 
-  while (length) {
+  while (length >= 2) {
     BE_STREAM_TO_UINT8(param_type, p);
-    length--;
+    BE_STREAM_TO_UINT8(param_len, p);
+    if (length < param_len + 2) {
+      android_errorWriteLog(0x534e4554, "114238578");
+      LLCP_TRACE_ERROR0("llcp_util_parse_link_params (): Bad TLV's");
+      return false;
+    }
+    length -= param_len + 2;
 
     switch (param_type) {
       case LLCP_VERSION_TYPE:
-        BE_STREAM_TO_UINT8(param_len, p);
+        if (param_len != LLCP_VERSION_LEN) {
+          android_errorWriteLog(0x534e4554, "114238578");
+          LLCP_TRACE_ERROR0("llcp_util_parse_link_params (): Bad TLV's");
+          return false;
+        }
         BE_STREAM_TO_UINT8(llcp_cb.lcb.peer_version, p);
         LLCP_TRACE_DEBUG1("Peer Version - 0x%02X", llcp_cb.lcb.peer_version);
         break;
 
       case LLCP_MIUX_TYPE:
-        BE_STREAM_TO_UINT8(param_len, p);
+        if (param_len != LLCP_MIUX_LEN) {
+          android_errorWriteLog(0x534e4554, "114238578");
+          LLCP_TRACE_ERROR0("llcp_util_parse_link_params (): Bad TLV's");
+          return false;
+        }
         BE_STREAM_TO_UINT16(llcp_cb.lcb.peer_miu, p);
         llcp_cb.lcb.peer_miu &= LLCP_MIUX_MASK;
         llcp_cb.lcb.peer_miu += LLCP_DEFAULT_MIU;
@@ -63,20 +79,32 @@
         break;
 
       case LLCP_WKS_TYPE:
-        BE_STREAM_TO_UINT8(param_len, p);
+        if (param_len != LLCP_WKS_LEN) {
+          android_errorWriteLog(0x534e4554, "114238578");
+          LLCP_TRACE_ERROR0("llcp_util_parse_link_params (): Bad TLV's");
+          return false;
+        }
         BE_STREAM_TO_UINT16(llcp_cb.lcb.peer_wks, p);
         LLCP_TRACE_DEBUG1("Peer WKS - 0x%04X", llcp_cb.lcb.peer_wks);
         break;
 
       case LLCP_LTO_TYPE:
-        BE_STREAM_TO_UINT8(param_len, p);
+        if (param_len != LLCP_LTO_LEN) {
+          android_errorWriteLog(0x534e4554, "114238578");
+          LLCP_TRACE_ERROR0("llcp_util_parse_link_params (): Bad TLV's");
+          return false;
+        }
         BE_STREAM_TO_UINT8(llcp_cb.lcb.peer_lto, p);
         llcp_cb.lcb.peer_lto *= LLCP_LTO_UNIT; /* 10ms unit */
         LLCP_TRACE_DEBUG1("Peer LTO - %d ms", llcp_cb.lcb.peer_lto);
         break;
 
       case LLCP_OPT_TYPE:
-        BE_STREAM_TO_UINT8(param_len, p);
+        if (param_len != LLCP_OPT_LEN) {
+          android_errorWriteLog(0x534e4554, "114238578");
+          LLCP_TRACE_ERROR0("llcp_util_parse_link_params (): Bad TLV's");
+          return false;
+        }
         BE_STREAM_TO_UINT8(llcp_cb.lcb.peer_opt, p);
         LLCP_TRACE_DEBUG1("Peer OPT - 0x%02X", llcp_cb.lcb.peer_opt);
         break;
@@ -88,13 +116,6 @@
         p += param_len;
         break;
     }
-
-    if (length >= param_len + 1)
-      length -= param_len + 1;
-    else {
-      LLCP_TRACE_ERROR0("llcp_util_parse_link_params (): Bad LTV's");
-      return false;
-    }
   }
   return true;
 }
@@ -465,13 +486,24 @@
   p_params->sn[0] = 0;
   p_params->sn[1] = 0;
 
-  while (length) {
+  while (length >= 2) {
     BE_STREAM_TO_UINT8(param_type, p);
-    length--;
+    BE_STREAM_TO_UINT8(param_len, p);
+    /* check remaining lengh */
+    if (length < param_len + 2) {
+      android_errorWriteLog(0x534e4554, "111660010");
+      LLCP_TRACE_ERROR0("llcp_util_parse_connect (): Bad TLV's");
+      return LLCP_STATUS_FAIL;
+    }
+    length -= param_len + 2;
 
     switch (param_type) {
       case LLCP_MIUX_TYPE:
-        BE_STREAM_TO_UINT8(param_len, p);
+        if (param_len != LLCP_MIUX_LEN) {
+          android_errorWriteLog(0x534e4554, "111660010");
+          LLCP_TRACE_ERROR0("llcp_util_parse_connect (): Bad TLV's");
+          return LLCP_STATUS_FAIL;
+        }
         BE_STREAM_TO_UINT16(p_params->miu, p);
         p_params->miu &= LLCP_MIUX_MASK;
         p_params->miu += LLCP_DEFAULT_MIU;
@@ -481,7 +513,11 @@
         break;
 
       case LLCP_RW_TYPE:
-        BE_STREAM_TO_UINT8(param_len, p);
+        if (param_len != LLCP_RW_LEN) {
+          android_errorWriteLog(0x534e4554, "111660010");
+          LLCP_TRACE_ERROR0("llcp_util_parse_connect (): Bad TLV's");
+          return LLCP_STATUS_FAIL;
+        }
         BE_STREAM_TO_UINT8(p_params->rw, p);
         p_params->rw &= 0x0F;
 
@@ -490,8 +526,6 @@
         break;
 
       case LLCP_SN_TYPE:
-        BE_STREAM_TO_UINT8(param_len, p);
-
         if (param_len == 0) {
           /* indicate that SN type is included without SN */
           p_params->sn[1] = LLCP_SN_TYPE;
@@ -515,14 +549,6 @@
         p += param_len;
         break;
     }
-
-    /* check remaining lengh */
-    if (length >= param_len + 1) {
-      length -= param_len + 1;
-    } else {
-      LLCP_TRACE_ERROR0("llcp_util_parse_connect (): Bad LTV's");
-      return LLCP_STATUS_FAIL;
-    }
   }
   return LLCP_STATUS_SUCCESS;
 }
@@ -599,13 +625,23 @@
   *p_miu = LLCP_DEFAULT_MIU;
   *p_rw = LLCP_DEFAULT_RW;
 
-  while (length) {
+  while (length >= 2) {
     BE_STREAM_TO_UINT8(param_type, p);
-    length--;
+    BE_STREAM_TO_UINT8(param_len, p);
+    if (length < param_len + 2) {
+      android_errorWriteLog(0x534e4554, "114237888");
+      LLCP_TRACE_ERROR0("llcp_util_parse_cc (): Bad TLV's");
+      return LLCP_STATUS_FAIL;
+    }
+    length -= param_len + 2;
 
     switch (param_type) {
       case LLCP_MIUX_TYPE:
-        BE_STREAM_TO_UINT8(param_len, p);
+        if (param_len != LLCP_MIUX_LEN) {
+          android_errorWriteLog(0x534e4554, "114237888");
+          LLCP_TRACE_ERROR0("llcp_util_parse_cc (): Bad TLV's");
+          return LLCP_STATUS_FAIL;
+        }
         BE_STREAM_TO_UINT16((*p_miu), p);
         (*p_miu) &= LLCP_MIUX_MASK;
         (*p_miu) += LLCP_DEFAULT_MIU;
@@ -614,7 +650,11 @@
         break;
 
       case LLCP_RW_TYPE:
-        BE_STREAM_TO_UINT8(param_len, p);
+        if (param_len != LLCP_RW_LEN) {
+          android_errorWriteLog(0x534e4554, "114237888");
+          LLCP_TRACE_ERROR0("llcp_util_parse_cc (): Bad TLV's");
+          return LLCP_STATUS_FAIL;
+        }
         BE_STREAM_TO_UINT8((*p_rw), p);
         (*p_rw) &= 0x0F;
 
@@ -628,13 +668,6 @@
         p += param_len;
         break;
     }
-
-    if (length >= param_len + 1)
-      length -= param_len + 1;
-    else {
-      LLCP_TRACE_ERROR0("llcp_util_parse_cc (): Bad LTV's");
-      return LLCP_STATUS_FAIL;
-    }
   }
   return LLCP_STATUS_SUCCESS;
 }
diff --git a/src/nfc/tags/rw_t2t_ndef.c b/src/nfc/tags/rw_t2t_ndef.c
index 2752963..83910e4 100644
--- a/src/nfc/tags/rw_t2t_ndef.c
+++ b/src/nfc/tags/rw_t2t_ndef.c
@@ -22,6 +22,7 @@
  *  Reader/Writer mode.
  *
  ******************************************************************************/
+#include <log/log.h>
 #include <string.h>
 #include "nfc_target.h"
 
@@ -606,6 +607,10 @@
 
                 /* Extract lockbytes info addressed by this Lock TLV */
                 xx = 0;
+                if (count > RW_T2T_MAX_LOCK_BYTES) {
+                  count = RW_T2T_MAX_LOCK_BYTES;
+                  android_errorWriteLog(0x534e4554, "112161557");
+                }
                 while (xx < count) {
                   p_t2t->lockbyte[p_t2t->num_lockbytes].tlv_index =
                       p_t2t->num_lock_tlvs;