NFC - Memory disclosure in rw_i93_sm_format
Bug: 157650336
Test: build and run (no tag testing)
Exempt-From-Owner-Approval: new owner approved
Merged-In: If6cd929624f8ae8c2c70295924bea206d82d48f4
Change-Id: I99872a5c48df29a7a9dd578aa47f22b8a09901ff
(cherry picked from commit 263e1127da9806b9ee3564d3520b6fc7435325c8)
diff --git a/src/nfc/tags/rw_i93.c b/src/nfc/tags/rw_i93.c
index 21cd2dd..255d22a 100644
--- a/src/nfc/tags/rw_i93.c
+++ b/src/nfc/tags/rw_i93.c
@@ -2411,12 +2411,21 @@
RW_TRACE_ERROR0("rw_i93_sm_format (): Cannot allocate buffer");
rw_i93_handle_error(NFC_STATUS_FAILED);
break;
- } else if (p_i93->block_size > RW_I93_FORMAT_DATA_LEN) {
- /* Possible leaking information from previous NFC transactions */
- /* Clear previous values */
- memset(p_i93->p_update_data, I93_ICODE_TLV_TYPE_NULL,
- I93_MAX_BLOCK_LENGH);
- android_errorWriteLog(0x534e4554, "139738828");
+ } else {
+ switch (p_i93->block_size) {
+ case 4:
+ case 8:
+ break;
+ case 16:
+ case 32: /* initialize unpopulated buffer b/139738828 */
+ memset(p_i93->p_update_data, I93_ICODE_TLV_TYPE_NULL,
+ I93_MAX_BLOCK_LENGH);
+ break;
+ default:
+ android_errorWriteLog(0x534e4554, "157650336");
+ rw_i93_handle_error(NFC_STATUS_FAILED);
+ return;
+ }
}
p = p_i93->p_update_data;