Google Git
Sign in
android / platform / system / nfc / bdd5f223e99ed40f9e56a756be1870e76e32d359^1..bdd5f223e99ed40f9e56a756be1870e76e32d359 / .
commitbdd5f223e99ed40f9e56a756be1870e76e32d359[log] [tgz]
authorXin Li <delphij@google.com>Mon Mar 11 09:13:34 2019 -0700
committerXin Li <delphij@google.com>Mon Mar 11 09:13:34 2019 -0700
tree15734c290096be4ae5aecef26fdf0821fe5b3599
parent9382210c4cae2b0507571eaae7288e6608457802 [diff]
parentc5695c89d963a4f649f34932d923124875469f65 [diff]
DO NOT MERGE - Merge PPRL.190305.001 into master

Bug: 127812889
Change-Id: I84f4d413bb3226b93a4950aec81891fbc22f4793

diff --git a/src/nfa/dm/nfa_dm_api.cc b/src/nfa/dm/nfa_dm_api.cc
index 888d2ef..e8334dc 100644
--- a/src/nfa/dm/nfa_dm_api.cc
+++ b/src/nfa/dm/nfa_dm_api.cc

@@ -25,6 +25,7 @@
 
 #include <android-base/stringprintf.h>
 #include <base/logging.h>
+#include <log/log.h>
 
 #include "ndef_utils.h"
 #include "nfa_api.h"
@@ -939,6 +940,11 @@
     return (NFA_STATUS_INVALID_PARAM);
 
   size = NFC_HDR_SIZE + NCI_MSG_OFFSET_SIZE + NCI_DATA_HDR_SIZE + data_len;
+  /* Check for integer overflow */
+  if (size < data_len) {
+    android_errorWriteLog(0x534e4554, "120664978");
+    return NFA_STATUS_INVALID_PARAM;
+  }
   p_msg = (NFC_HDR*)GKI_getbuf(size);
   if (p_msg != nullptr) {
     p_msg->event = NFA_DM_API_RAW_FRAME_EVT;

diff --git a/src/nfc/tags/ce_t4t.cc b/src/nfc/tags/ce_t4t.cc
index f85d9b9..f807eb1 100644
--- a/src/nfc/tags/ce_t4t.cc
+++ b/src/nfc/tags/ce_t4t.cc

@@ -22,6 +22,7 @@
  *  mode.
  *
  ******************************************************************************/
+#include <log/log.h>
 #include <string.h>
 
 #include <android-base/stringprintf.h>
@@ -389,6 +390,14 @@
   /* Lc Byte */
   BE_STREAM_TO_UINT8(data_len, p_cmd);
 
+  /*CLS+INS+P1+P2+Lc+Data*/
+  if (data_len > (p_c_apdu->len - T4T_CMD_MAX_HDR_SIZE)) {
+    LOG(ERROR) << StringPrintf("Wrong length in ce_t4t_process_select_app_cmd");
+    android_errorWriteLog(0x534e4554, "115635871");
+    ce_t4t_send_status(T4T_RSP_WRONG_LENGTH);
+    GKI_freebuf(p_c_apdu);
+    return;
+  }
 #if (CE_TEST_INCLUDED == TRUE)
   if (mapping_aid_test_enabled) {
     if ((data_len == T4T_V20_NDEF_TAG_AID_LEN) &&
@@ -540,7 +549,7 @@
                               tNFC_CONN* p_data) {
   NFC_HDR* p_c_apdu;
   uint8_t* p_cmd;
-  uint8_t cla, instruct, select_type = 0, length;
+  uint8_t cla = 0, instruct = 0, select_type = 0, length = 0;
   uint16_t offset, max_file_size;
   tCE_DATA ce_data;
 
@@ -558,6 +567,14 @@
 
   p_cmd = (uint8_t*)(p_c_apdu + 1) + p_c_apdu->offset;
 
+  if (p_c_apdu->len == 0) {
+    LOG(ERROR) << StringPrintf("Wrong length in ce_t4t_data_cback");
+    android_errorWriteLog(0x534e4554, "115635871");
+    ce_t4t_send_status(T4T_RSP_WRONG_LENGTH);
+    if (p_c_apdu) GKI_freebuf(p_c_apdu);
+    return;
+  }
+
   /* Class Byte */
   BE_STREAM_TO_UINT8(cla, p_cmd);
 
@@ -570,16 +587,28 @@
     return;
   }
 
-  /* Instruction Byte */
-  BE_STREAM_TO_UINT8(instruct, p_cmd);
+  /*CLA+INS+P1+P2 = 4 bytes*/
+  if (p_c_apdu->len >= T4T_CMD_MIN_HDR_SIZE) {
+    /* Instruction Byte */
+    BE_STREAM_TO_UINT8(instruct, p_cmd);
 
-  if ((cla == T4T_CMD_CLASS) && (instruct == T4T_CMD_INS_SELECT)) {
-    /* P1 Byte */
-    BE_STREAM_TO_UINT8(select_type, p_cmd);
+    if ((cla == T4T_CMD_CLASS) && (instruct == T4T_CMD_INS_SELECT)) {
+      /* P1 Byte */
+      BE_STREAM_TO_UINT8(select_type, p_cmd);
 
-    if (select_type == T4T_CMD_P1_SELECT_BY_NAME) {
-      ce_t4t_process_select_app_cmd(p_cmd, p_c_apdu);
-      return;
+      if (select_type == T4T_CMD_P1_SELECT_BY_NAME) {
+        /*CLA+INS+P1+P2+Lc = 5 bytes*/
+        if (p_c_apdu->len >= T4T_CMD_MAX_HDR_SIZE) {
+          ce_t4t_process_select_app_cmd(p_cmd, p_c_apdu);
+          return;
+        } else {
+          LOG(ERROR) << StringPrintf("Wrong length in select app cmd");
+          android_errorWriteLog(0x534e4554, "115635871");
+          ce_t4t_send_status(T4T_RSP_NOT_FOUND);
+          if (p_c_apdu) GKI_freebuf(p_c_apdu);
+          return;
+        }
+      }
     }
   }
 

diff --git a/src/nfc/tags/rw_t2t_ndef.cc b/src/nfc/tags/rw_t2t_ndef.cc
index 44ae54b..707f86b 100644
--- a/src/nfc/tags/rw_t2t_ndef.cc
+++ b/src/nfc/tags/rw_t2t_ndef.cc

@@ -594,7 +594,12 @@
             break;
 
           case TAG_LOCK_CTRL_TLV:
-            p_t2t->bytes_count--;
+            if (p_t2t->bytes_count > 0) {
+              p_t2t->bytes_count--;
+            } else {
+              LOG(ERROR) << StringPrintf("Underflow p_t2t->bytes_count!");
+              android_errorWriteLog(0x534e4554, "120506143");
+            }
             if ((tlvtype == TAG_LOCK_CTRL_TLV) || (tlvtype == TAG_NDEF_TLV)) {
               /* Collect Lock TLV */
               p_t2t->tlv_value[2 - p_t2t->bytes_count] = p_data[offset];
@@ -642,7 +647,12 @@
             break;
 
           case TAG_MEM_CTRL_TLV:
-            p_t2t->bytes_count--;
+            if (p_t2t->bytes_count > 0) {
+              p_t2t->bytes_count--;
+            } else {
+              LOG(ERROR) << StringPrintf("bytes_count underflow!");
+              android_errorWriteLog(0x534e4554, "120506143");
+            }
             if ((tlvtype == TAG_MEM_CTRL_TLV) || (tlvtype == TAG_NDEF_TLV)) {
               p_t2t->tlv_value[2 - p_t2t->bytes_count] = p_data[offset];
               if (p_t2t->bytes_count == 0) {
@@ -674,7 +684,12 @@
             break;
 
           case TAG_PROPRIETARY_TLV:
-            p_t2t->bytes_count--;
+            if (p_t2t->bytes_count > 0) {
+              p_t2t->bytes_count--;
+            } else {
+              LOG(ERROR) << StringPrintf("bytes_count underflow!");
+              android_errorWriteLog(0x534e4554, "120506143");
+            }
             if (tlvtype == TAG_PROPRIETARY_TLV) {
               found = true;
               p_t2t->prop_msg_len = len;

diff --git a/src/nfc/tags/rw_t3t.cc b/src/nfc/tags/rw_t3t.cc
index 075c2d7..1341a81 100644
--- a/src/nfc/tags/rw_t3t.cc
+++ b/src/nfc/tags/rw_t3t.cc

@@ -26,6 +26,7 @@
 
 #include <android-base/stringprintf.h>
 #include <base/logging.h>
+#include <log/log.h>
 
 #include "nfc_target.h"
 
@@ -1246,6 +1247,10 @@
                       NCI_NFCID2_LEN) != 0)) /* verify response IDm */
   {
     evt_data.status = NFC_STATUS_FAILED;
+  } else if (p_msg_rsp->len <
+             (T3T_MSG_RSP_OFFSET_CHECK_DATA + T3T_MSG_BLOCKSIZE)) {
+    evt_data.status = NFC_STATUS_FAILED;
+    android_errorWriteLog(0x534e4554, "120428041");
   } else {
     /* Get checksum from received ndef attribute msg */
     p = &p_t3t_rsp[T3T_MSG_RSP_OFFSET_CHECK_DATA + T3T_MSG_NDEF_ATTR_INFO_SIZE];
@@ -1371,7 +1376,7 @@
         T3T_MSG_OPC_CHECK_RSP, p_t3t_rsp[T3T_MSG_RSP_OFFSET_RSPCODE]);
     nfc_status = NFC_STATUS_FAILED;
     GKI_freebuf(p_msg_rsp);
-  } else {
+  } else if (p_msg_rsp->len >= T3T_MSG_RSP_OFFSET_CHECK_DATA) {
     /* Copy incoming data into buffer */
     p_msg_rsp->offset +=
         T3T_MSG_RSP_OFFSET_CHECK_DATA; /* Skip over t3t header */
@@ -1381,6 +1386,10 @@
     tRW_DATA rw_data;
     rw_data.data = evt_data;
     (*(rw_cb.p_cback))(RW_T3T_CHECK_EVT, &rw_data);
+  } else {
+    android_errorWriteLog(0x534e4554, "120503926");
+    nfc_status = NFC_STATUS_FAILED;
+    GKI_freebuf(p_msg_rsp);
   }
 
   p_cb->rw_state = RW_T3T_STATE_IDLE;
@@ -1640,7 +1649,12 @@
 
     DLOG_IF(INFO, nfc_debug_enabled)
         << StringPrintf("FeliCa detected (RD, system code %04X)", sc);
-    p_cb->system_codes[p_cb->num_system_codes++] = sc;
+    if (p_cb->num_system_codes < T3T_MAX_SYSTEM_CODES) {
+      p_cb->system_codes[p_cb->num_system_codes++] = sc;
+    } else {
+      LOG(ERROR) << StringPrintf("Exceed T3T_MAX_SYSTEM_CODES!");
+      android_errorWriteLog(0x534e4554, "120499324");
+    }
   }
 
   rw_t3t_handle_get_system_codes_cplt();
@@ -1838,6 +1852,10 @@
                         NCI_NFCID2_LEN) != 0)) /* verify response IDm */
     {
       evt_data.status = NFC_STATUS_FAILED;
+    } else if (p_msg_rsp->len <
+               (T3T_MSG_RSP_OFFSET_CHECK_DATA + T3T_MSG_BLOCKSIZE)) {
+      evt_data.status = NFC_STATUS_FAILED;
+      android_errorWriteLog(0x534e4554, "120506143");
     } else {
       /* Check if memory configuration (MC) block to see if SYS_OP=1 (NDEF
        * enabled) */
@@ -2049,16 +2067,18 @@
                         NCI_NFCID2_LEN) != 0)) /* verify response IDm */
     {
       evt_data.status = NFC_STATUS_FAILED;
+    } else if (p_msg_rsp->len <
+               (T3T_MSG_RSP_OFFSET_CHECK_DATA + T3T_MSG_BLOCKSIZE)) {
+      evt_data.status = NFC_STATUS_FAILED;
+      android_errorWriteLog(0x534e4554, "120506143");
     } else {
       /* Check if memory configuration (MC) block to see if SYS_OP=1 (NDEF
        * enabled) */
       p_mc = &p_t3t_rsp[T3T_MSG_RSP_OFFSET_CHECK_DATA]; /* Point to MC data of
                                                            CHECK response */
 
-      if (p_mc[T3T_MSG_FELICALITE_MC_OFFSET_SYS_OP] != 0x01) {
-        /* Tag is not currently enabled for NDEF */
-        evt_data.status = NFC_STATUS_FAILED;
-      } else {
+      evt_data.status = NFC_STATUS_FAILED;
+      if (p_mc[T3T_MSG_FELICALITE_MC_OFFSET_SYS_OP] == 0x01) {
         /* Set MC_SP field with MC[0] = 0x00 & MC[1] = 0xC0 (Hardlock) to change
          * access permission from RW to RO */
         p_mc[T3T_MSG_FELICALITE_MC_OFFSET_MC_SP] = 0x00;