Add boundary check in nfa_hci_handle_admin_gate_rsp
Bug: 124524315
Test: Nfc Enable/Disable with NFC SIM
Merged-In: Ic5b9398f7fc4f3aa8c83bd902e47d7785c5a6161
Change-Id: Ic5b9398f7fc4f3aa8c83bd902e47d7785c5a6161
Exempt-From-Owner-Approval: new owner approved
(cherry picked from commit dc58f77ff10e8a6502208249741ab6879c038bf1)
diff --git a/src/nfa/hci/nfa_hci_act.cc b/src/nfa/hci/nfa_hci_act.cc
index 89a56ca..4ad9754 100644
--- a/src/nfa/hci/nfa_hci_act.cc
+++ b/src/nfa/hci/nfa_hci_act.cc
@@ -25,6 +25,7 @@
#include <android-base/stringprintf.h>
#include <base/logging.h>
+#include <log/log.h>
#include "nfa_dm_int.h"
#include "nfa_hci_api.h"
@@ -1401,7 +1402,8 @@
} else if (nfa_hci_cb.param_in_use == NFA_HCI_SESSION_IDENTITY_INDEX) {
/* The only parameter we get when initializing is the session ID.
* Check for match. */
- if (!memcmp((uint8_t*)nfa_hci_cb.cfg.admin_gate.session_id, p_data,
+ if (data_len >= NFA_HCI_SESSION_ID_LEN &&
+ !memcmp((uint8_t*)nfa_hci_cb.cfg.admin_gate.session_id, p_data,
NFA_HCI_SESSION_ID_LEN)) {
/* Session has not changed, Set WHITELIST */
nfa_hciu_send_set_param_cmd(
@@ -1412,6 +1414,9 @@
* default session id */
nfa_hciu_send_clear_all_pipe_cmd();
nfa_hci_cb.b_hci_netwk_reset = true;
+ if (data_len < NFA_HCI_SESSION_ID_LEN) {
+ android_errorWriteLog(0x534e4554, "124524315");
+ }
}
}
break;
@@ -1464,7 +1469,8 @@
case NFA_HCI_ANY_GET_PARAMETER:
if (nfa_hci_cb.param_in_use == NFA_HCI_SESSION_IDENTITY_INDEX) {
- if (!memcmp((uint8_t*)default_session, p_data,
+ if (data_len >= NFA_HCI_SESSION_ID_LEN &&
+ !memcmp((uint8_t*)default_session, p_data,
NFA_HCI_SESSION_ID_LEN)) {
memcpy(&nfa_hci_cb.cfg.admin_gate
.session_id[(NFA_HCI_SESSION_ID_LEN / 2)],
@@ -1479,6 +1485,9 @@
NFA_HCI_SESSION_ID_LEN,
(uint8_t*)nfa_hci_cb.cfg.admin_gate.session_id);
} else {
+ if (data_len < NFA_HCI_SESSION_ID_LEN) {
+ android_errorWriteLog(0x534e4554, "124524315");
+ }
if (nfa_hci_cb.hci_state == NFA_HCI_STATE_APP_DEREGISTER)
nfa_hci_api_deregister(nullptr);
else if (nfa_hci_cb.hci_state == NFA_HCI_STATE_REMOVE_GATE)
@@ -1486,6 +1495,10 @@
}
} else if (nfa_hci_cb.param_in_use == NFA_HCI_HOST_LIST_INDEX) {
evt_data.hosts.status = status;
+ if (data_len > NFA_HCI_MAX_HOST_IN_NETWORK) {
+ data_len = NFA_HCI_MAX_HOST_IN_NETWORK;
+ android_errorWriteLog(0x534e4554, "124524315");
+ }
evt_data.hosts.num_hosts = data_len;
memcpy(evt_data.hosts.host, p_data, data_len);
@@ -1523,7 +1536,8 @@
break;
case NFA_HCI_ADM_CREATE_PIPE:
- if (status == NFA_STATUS_OK) {
+ // p_data should have at least 5 bytes length for pipe info
+ if (data_len >= 5 && status == NFA_STATUS_OK) {
STREAM_TO_UINT8(source_host, p_data);
STREAM_TO_UINT8(source_gate, p_data);
STREAM_TO_UINT8(dest_host, p_data);
@@ -1540,6 +1554,9 @@
}
nfa_hciu_add_pipe_to_gate(pipe, source_gate, dest_host, dest_gate);
+ } else if (data_len < 5 && status == NFA_STATUS_OK) {
+ android_errorWriteLog(0x534e4554, "124524315");
+ status = NFA_STATUS_FAILED;
}
/* Tell the application his pipe was created or not */