DO NOT MERGE - Merge PPRL.190305.001 into master
Bug: 127812889
Change-Id: I84f4d413bb3226b93a4950aec81891fbc22f4793
diff --git a/src/nfa/dm/nfa_dm_api.cc b/src/nfa/dm/nfa_dm_api.cc
index 888d2ef..e8334dc 100644
--- a/src/nfa/dm/nfa_dm_api.cc
+++ b/src/nfa/dm/nfa_dm_api.cc
@@ -25,6 +25,7 @@
#include <android-base/stringprintf.h>
#include <base/logging.h>
+#include <log/log.h>
#include "ndef_utils.h"
#include "nfa_api.h"
@@ -939,6 +940,11 @@
return (NFA_STATUS_INVALID_PARAM);
size = NFC_HDR_SIZE + NCI_MSG_OFFSET_SIZE + NCI_DATA_HDR_SIZE + data_len;
+ /* Check for integer overflow */
+ if (size < data_len) {
+ android_errorWriteLog(0x534e4554, "120664978");
+ return NFA_STATUS_INVALID_PARAM;
+ }
p_msg = (NFC_HDR*)GKI_getbuf(size);
if (p_msg != nullptr) {
p_msg->event = NFA_DM_API_RAW_FRAME_EVT;
diff --git a/src/nfc/tags/ce_t4t.cc b/src/nfc/tags/ce_t4t.cc
index f85d9b9..f807eb1 100644
--- a/src/nfc/tags/ce_t4t.cc
+++ b/src/nfc/tags/ce_t4t.cc
@@ -22,6 +22,7 @@
* mode.
*
******************************************************************************/
+#include <log/log.h>
#include <string.h>
#include <android-base/stringprintf.h>
@@ -389,6 +390,14 @@
/* Lc Byte */
BE_STREAM_TO_UINT8(data_len, p_cmd);
+ /*CLS+INS+P1+P2+Lc+Data*/
+ if (data_len > (p_c_apdu->len - T4T_CMD_MAX_HDR_SIZE)) {
+ LOG(ERROR) << StringPrintf("Wrong length in ce_t4t_process_select_app_cmd");
+ android_errorWriteLog(0x534e4554, "115635871");
+ ce_t4t_send_status(T4T_RSP_WRONG_LENGTH);
+ GKI_freebuf(p_c_apdu);
+ return;
+ }
#if (CE_TEST_INCLUDED == TRUE)
if (mapping_aid_test_enabled) {
if ((data_len == T4T_V20_NDEF_TAG_AID_LEN) &&
@@ -540,7 +549,7 @@
tNFC_CONN* p_data) {
NFC_HDR* p_c_apdu;
uint8_t* p_cmd;
- uint8_t cla, instruct, select_type = 0, length;
+ uint8_t cla = 0, instruct = 0, select_type = 0, length = 0;
uint16_t offset, max_file_size;
tCE_DATA ce_data;
@@ -558,6 +567,14 @@
p_cmd = (uint8_t*)(p_c_apdu + 1) + p_c_apdu->offset;
+ if (p_c_apdu->len == 0) {
+ LOG(ERROR) << StringPrintf("Wrong length in ce_t4t_data_cback");
+ android_errorWriteLog(0x534e4554, "115635871");
+ ce_t4t_send_status(T4T_RSP_WRONG_LENGTH);
+ if (p_c_apdu) GKI_freebuf(p_c_apdu);
+ return;
+ }
+
/* Class Byte */
BE_STREAM_TO_UINT8(cla, p_cmd);
@@ -570,16 +587,28 @@
return;
}
- /* Instruction Byte */
- BE_STREAM_TO_UINT8(instruct, p_cmd);
+ /*CLA+INS+P1+P2 = 4 bytes*/
+ if (p_c_apdu->len >= T4T_CMD_MIN_HDR_SIZE) {
+ /* Instruction Byte */
+ BE_STREAM_TO_UINT8(instruct, p_cmd);
- if ((cla == T4T_CMD_CLASS) && (instruct == T4T_CMD_INS_SELECT)) {
- /* P1 Byte */
- BE_STREAM_TO_UINT8(select_type, p_cmd);
+ if ((cla == T4T_CMD_CLASS) && (instruct == T4T_CMD_INS_SELECT)) {
+ /* P1 Byte */
+ BE_STREAM_TO_UINT8(select_type, p_cmd);
- if (select_type == T4T_CMD_P1_SELECT_BY_NAME) {
- ce_t4t_process_select_app_cmd(p_cmd, p_c_apdu);
- return;
+ if (select_type == T4T_CMD_P1_SELECT_BY_NAME) {
+ /*CLA+INS+P1+P2+Lc = 5 bytes*/
+ if (p_c_apdu->len >= T4T_CMD_MAX_HDR_SIZE) {
+ ce_t4t_process_select_app_cmd(p_cmd, p_c_apdu);
+ return;
+ } else {
+ LOG(ERROR) << StringPrintf("Wrong length in select app cmd");
+ android_errorWriteLog(0x534e4554, "115635871");
+ ce_t4t_send_status(T4T_RSP_NOT_FOUND);
+ if (p_c_apdu) GKI_freebuf(p_c_apdu);
+ return;
+ }
+ }
}
}
diff --git a/src/nfc/tags/rw_t2t_ndef.cc b/src/nfc/tags/rw_t2t_ndef.cc
index 44ae54b..707f86b 100644
--- a/src/nfc/tags/rw_t2t_ndef.cc
+++ b/src/nfc/tags/rw_t2t_ndef.cc
@@ -594,7 +594,12 @@
break;
case TAG_LOCK_CTRL_TLV:
- p_t2t->bytes_count--;
+ if (p_t2t->bytes_count > 0) {
+ p_t2t->bytes_count--;
+ } else {
+ LOG(ERROR) << StringPrintf("Underflow p_t2t->bytes_count!");
+ android_errorWriteLog(0x534e4554, "120506143");
+ }
if ((tlvtype == TAG_LOCK_CTRL_TLV) || (tlvtype == TAG_NDEF_TLV)) {
/* Collect Lock TLV */
p_t2t->tlv_value[2 - p_t2t->bytes_count] = p_data[offset];
@@ -642,7 +647,12 @@
break;
case TAG_MEM_CTRL_TLV:
- p_t2t->bytes_count--;
+ if (p_t2t->bytes_count > 0) {
+ p_t2t->bytes_count--;
+ } else {
+ LOG(ERROR) << StringPrintf("bytes_count underflow!");
+ android_errorWriteLog(0x534e4554, "120506143");
+ }
if ((tlvtype == TAG_MEM_CTRL_TLV) || (tlvtype == TAG_NDEF_TLV)) {
p_t2t->tlv_value[2 - p_t2t->bytes_count] = p_data[offset];
if (p_t2t->bytes_count == 0) {
@@ -674,7 +684,12 @@
break;
case TAG_PROPRIETARY_TLV:
- p_t2t->bytes_count--;
+ if (p_t2t->bytes_count > 0) {
+ p_t2t->bytes_count--;
+ } else {
+ LOG(ERROR) << StringPrintf("bytes_count underflow!");
+ android_errorWriteLog(0x534e4554, "120506143");
+ }
if (tlvtype == TAG_PROPRIETARY_TLV) {
found = true;
p_t2t->prop_msg_len = len;
diff --git a/src/nfc/tags/rw_t3t.cc b/src/nfc/tags/rw_t3t.cc
index 075c2d7..1341a81 100644
--- a/src/nfc/tags/rw_t3t.cc
+++ b/src/nfc/tags/rw_t3t.cc
@@ -26,6 +26,7 @@
#include <android-base/stringprintf.h>
#include <base/logging.h>
+#include <log/log.h>
#include "nfc_target.h"
@@ -1246,6 +1247,10 @@
NCI_NFCID2_LEN) != 0)) /* verify response IDm */
{
evt_data.status = NFC_STATUS_FAILED;
+ } else if (p_msg_rsp->len <
+ (T3T_MSG_RSP_OFFSET_CHECK_DATA + T3T_MSG_BLOCKSIZE)) {
+ evt_data.status = NFC_STATUS_FAILED;
+ android_errorWriteLog(0x534e4554, "120428041");
} else {
/* Get checksum from received ndef attribute msg */
p = &p_t3t_rsp[T3T_MSG_RSP_OFFSET_CHECK_DATA + T3T_MSG_NDEF_ATTR_INFO_SIZE];
@@ -1371,7 +1376,7 @@
T3T_MSG_OPC_CHECK_RSP, p_t3t_rsp[T3T_MSG_RSP_OFFSET_RSPCODE]);
nfc_status = NFC_STATUS_FAILED;
GKI_freebuf(p_msg_rsp);
- } else {
+ } else if (p_msg_rsp->len >= T3T_MSG_RSP_OFFSET_CHECK_DATA) {
/* Copy incoming data into buffer */
p_msg_rsp->offset +=
T3T_MSG_RSP_OFFSET_CHECK_DATA; /* Skip over t3t header */
@@ -1381,6 +1386,10 @@
tRW_DATA rw_data;
rw_data.data = evt_data;
(*(rw_cb.p_cback))(RW_T3T_CHECK_EVT, &rw_data);
+ } else {
+ android_errorWriteLog(0x534e4554, "120503926");
+ nfc_status = NFC_STATUS_FAILED;
+ GKI_freebuf(p_msg_rsp);
}
p_cb->rw_state = RW_T3T_STATE_IDLE;
@@ -1640,7 +1649,12 @@
DLOG_IF(INFO, nfc_debug_enabled)
<< StringPrintf("FeliCa detected (RD, system code %04X)", sc);
- p_cb->system_codes[p_cb->num_system_codes++] = sc;
+ if (p_cb->num_system_codes < T3T_MAX_SYSTEM_CODES) {
+ p_cb->system_codes[p_cb->num_system_codes++] = sc;
+ } else {
+ LOG(ERROR) << StringPrintf("Exceed T3T_MAX_SYSTEM_CODES!");
+ android_errorWriteLog(0x534e4554, "120499324");
+ }
}
rw_t3t_handle_get_system_codes_cplt();
@@ -1838,6 +1852,10 @@
NCI_NFCID2_LEN) != 0)) /* verify response IDm */
{
evt_data.status = NFC_STATUS_FAILED;
+ } else if (p_msg_rsp->len <
+ (T3T_MSG_RSP_OFFSET_CHECK_DATA + T3T_MSG_BLOCKSIZE)) {
+ evt_data.status = NFC_STATUS_FAILED;
+ android_errorWriteLog(0x534e4554, "120506143");
} else {
/* Check if memory configuration (MC) block to see if SYS_OP=1 (NDEF
* enabled) */
@@ -2049,16 +2067,18 @@
NCI_NFCID2_LEN) != 0)) /* verify response IDm */
{
evt_data.status = NFC_STATUS_FAILED;
+ } else if (p_msg_rsp->len <
+ (T3T_MSG_RSP_OFFSET_CHECK_DATA + T3T_MSG_BLOCKSIZE)) {
+ evt_data.status = NFC_STATUS_FAILED;
+ android_errorWriteLog(0x534e4554, "120506143");
} else {
/* Check if memory configuration (MC) block to see if SYS_OP=1 (NDEF
* enabled) */
p_mc = &p_t3t_rsp[T3T_MSG_RSP_OFFSET_CHECK_DATA]; /* Point to MC data of
CHECK response */
- if (p_mc[T3T_MSG_FELICALITE_MC_OFFSET_SYS_OP] != 0x01) {
- /* Tag is not currently enabled for NDEF */
- evt_data.status = NFC_STATUS_FAILED;
- } else {
+ evt_data.status = NFC_STATUS_FAILED;
+ if (p_mc[T3T_MSG_FELICALITE_MC_OFFSET_SYS_OP] == 0x01) {
/* Set MC_SP field with MC[0] = 0x00 & MC[1] = 0xC0 (Hardlock) to change
* access permission from RW to RO */
p_mc[T3T_MSG_FELICALITE_MC_OFFSET_MC_SP] = 0x00;