Google Git
Sign in
android / platform / system / nfc / cd0f77f7^! / .
commitcd0f77f71ff4166529fc22aa7db6c32dbb1d2c1c[log] [tgz]
authorAlisher Alikhodjaev <alisher@google.com>Fri Feb 19 15:38:43 2021 -0800
committerandroid-build-team Robot <android-build-team-robot@google.com>Fri Mar 19 00:00:55 2021 +0000
treed225b8d2cb6667dc2db23f0bf350f72f8801e02c
parent6a2a5f92df8879d154d965467e7c6e4342e943d3 [diff]
Memory Disclosure, OOB Write, and Double Free in NFC T3T tag

Bug: 179687208
Test: build ok
Change-Id: I9fcc8d7813e5192810808c207ac0364e279bef09
(cherry picked from commit 16a3bb0b54fb6537abb283a6efadb6dfe53399f5)

diff --git a/src/nfc/include/rw_int.h b/src/nfc/include/rw_int.h
index f4027a5..2e6d4c2 100644
--- a/src/nfc/include/rw_int.h
+++ b/src/nfc/include/rw_int.h

@@ -494,6 +494,8 @@
 #define RW_T3T_FL_W4_FMT_FELICA_LITE_POLL_RSP 0x10
 /* Waiting for POLL response for RW_T3tSetReadOnly */
 #define RW_T3T_FL_W4_SRO_FELICA_LITE_POLL_RSP 0x20
+/* Waiting for POLL response for RW_T3tPoll */
+#define RW_T3T_FL_W4_USER_POLL_RSP 0x40
 
 typedef struct {
   uint32_t cur_tout; /* Current command timeout */

diff --git a/src/nfc/tags/rw_t3t.cc b/src/nfc/tags/rw_t3t.cc
index 60afe38..58b84fd 100644
--- a/src/nfc/tags/rw_t3t.cc
+++ b/src/nfc/tags/rw_t3t.cc

@@ -248,6 +248,14 @@
       /* For GetSystemCode: tag did not respond to requested POLL */
       rw_t3t_handle_get_system_codes_cplt();
       return;
+    } else if ((p_cb->flags & (RW_T3T_FL_W4_PRESENCE_CHECK_POLL_RSP |
+                               RW_T3T_FL_W4_GET_SC_POLL_RSP |
+                               RW_T3T_FL_W4_FMT_FELICA_LITE_POLL_RSP |
+                               RW_T3T_FL_W4_SRO_FELICA_LITE_POLL_RSP |
+                               RW_T3T_FL_W4_NDEF_DETECT_POLL_RSP |
+                               RW_T3T_FL_W4_USER_POLL_RSP))) {
+      /* Tag did not respond correctly to requested POLL */
+      return;
     }
     /* Retry sending command if retry-count < max */
     else if (rw_cb.cur_retry < RW_MAX_RETRIES) {
@@ -271,8 +279,7 @@
                                 p_cb->cur_tout);
           return;
         } else {
-          /* failure - could not send buffer */
-          GKI_freebuf(p_cmd_buf);
+          android_errorWriteLog(0x534e4554, "179687208");
         }
       }
     } else {
@@ -368,6 +375,7 @@
     rw_t3t_handle_ndef_detect_poll_rsp(p_cb, nci_status, num_responses);
   } else {
     /* Handle POLL ntf in response to RW_T3tPoll */
+    p_cb->flags &= ~RW_T3T_FL_W4_USER_POLL_RSP;
     evt_data.t3t_poll.status = nci_status;
     if (evt_data.t3t_poll.status == NCI_STATUS_OK) {
       evt_data.t3t_poll.rc = p_cb->cur_poll_rc;
@@ -2834,6 +2842,7 @@
     /* start timer for waiting for responses */
     p_cb->cur_poll_rc = rc;
     p_cb->rw_state = RW_T3T_STATE_COMMAND_PENDING;
+    p_cb->flags |= RW_T3T_FL_W4_USER_POLL_RSP;
     rw_t3t_start_poll_timer(p_cb);
   }