Merge cherrypicks of [5313290, 5313323, 5313343, 5313415, 5313291, 5313441, 5313557, 5313344, 5313383, 5313384, 5313324, 5313325, 5313326, 5313294, 5313295, 5313296, 5313498] into oc-m8-release
Change-Id: Icd4599b88fd93fd6b2f89bd831e3047930ef3822
diff --git a/src/nfc/llcp/llcp_link.c b/src/nfc/llcp/llcp_link.c
index 5fa6a41..e2d2387 100644
--- a/src/nfc/llcp/llcp_link.c
+++ b/src/nfc/llcp/llcp_link.c
@@ -1128,7 +1128,7 @@
agf_length = p_agf->len;
p = (uint8_t*)(p_agf + 1) + p_agf->offset;
- while (agf_length > 0) {
+ while (agf_length >= LLCP_PDU_HEADER_SIZE) {
/* get length of PDU */
p_pdu_length = p;
BE_STREAM_TO_UINT16(pdu_length, p);
diff --git a/src/nfc/llcp/llcp_util.c b/src/nfc/llcp/llcp_util.c
index afd5749..3b984e3 100644
--- a/src/nfc/llcp/llcp_util.c
+++ b/src/nfc/llcp/llcp_util.c
@@ -22,7 +22,9 @@
*
******************************************************************************/
+#include <log/log.h>
#include <string.h>
+
#include "bt_types.h"
#include "gki.h"
#include "llcp_defs.h"
@@ -43,19 +45,33 @@
bool llcp_util_parse_link_params(uint16_t length, uint8_t* p_bytes) {
uint8_t param_type, param_len, *p = p_bytes;
- while (length) {
+ while (length >= 2) {
BE_STREAM_TO_UINT8(param_type, p);
- length--;
+ BE_STREAM_TO_UINT8(param_len, p);
+ if (length < param_len + 2) {
+ android_errorWriteLog(0x534e4554, "114238578");
+ LLCP_TRACE_ERROR0("llcp_util_parse_link_params (): Bad TLV's");
+ return false;
+ }
+ length -= param_len + 2;
switch (param_type) {
case LLCP_VERSION_TYPE:
- BE_STREAM_TO_UINT8(param_len, p);
+ if (param_len != LLCP_VERSION_LEN) {
+ android_errorWriteLog(0x534e4554, "114238578");
+ LLCP_TRACE_ERROR0("llcp_util_parse_link_params (): Bad TLV's");
+ return false;
+ }
BE_STREAM_TO_UINT8(llcp_cb.lcb.peer_version, p);
LLCP_TRACE_DEBUG1("Peer Version - 0x%02X", llcp_cb.lcb.peer_version);
break;
case LLCP_MIUX_TYPE:
- BE_STREAM_TO_UINT8(param_len, p);
+ if (param_len != LLCP_MIUX_LEN) {
+ android_errorWriteLog(0x534e4554, "114238578");
+ LLCP_TRACE_ERROR0("llcp_util_parse_link_params (): Bad TLV's");
+ return false;
+ }
BE_STREAM_TO_UINT16(llcp_cb.lcb.peer_miu, p);
llcp_cb.lcb.peer_miu &= LLCP_MIUX_MASK;
llcp_cb.lcb.peer_miu += LLCP_DEFAULT_MIU;
@@ -63,20 +79,32 @@
break;
case LLCP_WKS_TYPE:
- BE_STREAM_TO_UINT8(param_len, p);
+ if (param_len != LLCP_WKS_LEN) {
+ android_errorWriteLog(0x534e4554, "114238578");
+ LLCP_TRACE_ERROR0("llcp_util_parse_link_params (): Bad TLV's");
+ return false;
+ }
BE_STREAM_TO_UINT16(llcp_cb.lcb.peer_wks, p);
LLCP_TRACE_DEBUG1("Peer WKS - 0x%04X", llcp_cb.lcb.peer_wks);
break;
case LLCP_LTO_TYPE:
- BE_STREAM_TO_UINT8(param_len, p);
+ if (param_len != LLCP_LTO_LEN) {
+ android_errorWriteLog(0x534e4554, "114238578");
+ LLCP_TRACE_ERROR0("llcp_util_parse_link_params (): Bad TLV's");
+ return false;
+ }
BE_STREAM_TO_UINT8(llcp_cb.lcb.peer_lto, p);
llcp_cb.lcb.peer_lto *= LLCP_LTO_UNIT; /* 10ms unit */
LLCP_TRACE_DEBUG1("Peer LTO - %d ms", llcp_cb.lcb.peer_lto);
break;
case LLCP_OPT_TYPE:
- BE_STREAM_TO_UINT8(param_len, p);
+ if (param_len != LLCP_OPT_LEN) {
+ android_errorWriteLog(0x534e4554, "114238578");
+ LLCP_TRACE_ERROR0("llcp_util_parse_link_params (): Bad TLV's");
+ return false;
+ }
BE_STREAM_TO_UINT8(llcp_cb.lcb.peer_opt, p);
LLCP_TRACE_DEBUG1("Peer OPT - 0x%02X", llcp_cb.lcb.peer_opt);
break;
@@ -88,13 +116,6 @@
p += param_len;
break;
}
-
- if (length >= param_len + 1)
- length -= param_len + 1;
- else {
- LLCP_TRACE_ERROR0("llcp_util_parse_link_params (): Bad LTV's");
- return false;
- }
}
return true;
}
@@ -465,13 +486,24 @@
p_params->sn[0] = 0;
p_params->sn[1] = 0;
- while (length) {
+ while (length >= 2) {
BE_STREAM_TO_UINT8(param_type, p);
- length--;
+ BE_STREAM_TO_UINT8(param_len, p);
+ /* check remaining lengh */
+ if (length < param_len + 2) {
+ android_errorWriteLog(0x534e4554, "111660010");
+ LLCP_TRACE_ERROR0("llcp_util_parse_connect (): Bad TLV's");
+ return LLCP_STATUS_FAIL;
+ }
+ length -= param_len + 2;
switch (param_type) {
case LLCP_MIUX_TYPE:
- BE_STREAM_TO_UINT8(param_len, p);
+ if (param_len != LLCP_MIUX_LEN) {
+ android_errorWriteLog(0x534e4554, "111660010");
+ LLCP_TRACE_ERROR0("llcp_util_parse_connect (): Bad TLV's");
+ return LLCP_STATUS_FAIL;
+ }
BE_STREAM_TO_UINT16(p_params->miu, p);
p_params->miu &= LLCP_MIUX_MASK;
p_params->miu += LLCP_DEFAULT_MIU;
@@ -481,7 +513,11 @@
break;
case LLCP_RW_TYPE:
- BE_STREAM_TO_UINT8(param_len, p);
+ if (param_len != LLCP_RW_LEN) {
+ android_errorWriteLog(0x534e4554, "111660010");
+ LLCP_TRACE_ERROR0("llcp_util_parse_connect (): Bad TLV's");
+ return LLCP_STATUS_FAIL;
+ }
BE_STREAM_TO_UINT8(p_params->rw, p);
p_params->rw &= 0x0F;
@@ -490,8 +526,6 @@
break;
case LLCP_SN_TYPE:
- BE_STREAM_TO_UINT8(param_len, p);
-
if (param_len == 0) {
/* indicate that SN type is included without SN */
p_params->sn[1] = LLCP_SN_TYPE;
@@ -515,14 +549,6 @@
p += param_len;
break;
}
-
- /* check remaining lengh */
- if (length >= param_len + 1) {
- length -= param_len + 1;
- } else {
- LLCP_TRACE_ERROR0("llcp_util_parse_connect (): Bad LTV's");
- return LLCP_STATUS_FAIL;
- }
}
return LLCP_STATUS_SUCCESS;
}
@@ -599,13 +625,23 @@
*p_miu = LLCP_DEFAULT_MIU;
*p_rw = LLCP_DEFAULT_RW;
- while (length) {
+ while (length >= 2) {
BE_STREAM_TO_UINT8(param_type, p);
- length--;
+ BE_STREAM_TO_UINT8(param_len, p);
+ if (length < param_len + 2) {
+ android_errorWriteLog(0x534e4554, "114237888");
+ LLCP_TRACE_ERROR0("llcp_util_parse_cc (): Bad TLV's");
+ return LLCP_STATUS_FAIL;
+ }
+ length -= param_len + 2;
switch (param_type) {
case LLCP_MIUX_TYPE:
- BE_STREAM_TO_UINT8(param_len, p);
+ if (param_len != LLCP_MIUX_LEN) {
+ android_errorWriteLog(0x534e4554, "114237888");
+ LLCP_TRACE_ERROR0("llcp_util_parse_cc (): Bad TLV's");
+ return LLCP_STATUS_FAIL;
+ }
BE_STREAM_TO_UINT16((*p_miu), p);
(*p_miu) &= LLCP_MIUX_MASK;
(*p_miu) += LLCP_DEFAULT_MIU;
@@ -614,7 +650,11 @@
break;
case LLCP_RW_TYPE:
- BE_STREAM_TO_UINT8(param_len, p);
+ if (param_len != LLCP_RW_LEN) {
+ android_errorWriteLog(0x534e4554, "114237888");
+ LLCP_TRACE_ERROR0("llcp_util_parse_cc (): Bad TLV's");
+ return LLCP_STATUS_FAIL;
+ }
BE_STREAM_TO_UINT8((*p_rw), p);
(*p_rw) &= 0x0F;
@@ -628,13 +668,6 @@
p += param_len;
break;
}
-
- if (length >= param_len + 1)
- length -= param_len + 1;
- else {
- LLCP_TRACE_ERROR0("llcp_util_parse_cc (): Bad LTV's");
- return LLCP_STATUS_FAIL;
- }
}
return LLCP_STATUS_SUCCESS;
}
diff --git a/src/nfc/tags/rw_t2t_ndef.c b/src/nfc/tags/rw_t2t_ndef.c
index 2752963..83910e4 100644
--- a/src/nfc/tags/rw_t2t_ndef.c
+++ b/src/nfc/tags/rw_t2t_ndef.c
@@ -22,6 +22,7 @@
* Reader/Writer mode.
*
******************************************************************************/
+#include <log/log.h>
#include <string.h>
#include "nfc_target.h"
@@ -606,6 +607,10 @@
/* Extract lockbytes info addressed by this Lock TLV */
xx = 0;
+ if (count > RW_T2T_MAX_LOCK_BYTES) {
+ count = RW_T2T_MAX_LOCK_BYTES;
+ android_errorWriteLog(0x534e4554, "112161557");
+ }
while (xx < count) {
p_t2t->lockbyte[p_t2t->num_lockbytes].tlv_index =
p_t2t->num_lock_tlvs;