Prevent Out of bounds read in llcp code part 2
Bug: 114238578
Bug: 114237888
Bug: 111660010
Test: Tag read/write; Card Emulation
Merged-In: Ie1e7f3285e2fcf88382b2be8bb09e1f9fb98be03
Change-Id: Ie1e7f3285e2fcf88382b2be8bb09e1f9fb98be03
(cherry picked from commit cf1627d9d3c59dd30e7e4c12d4a95b8f051f644e)
(cherry picked from commit 06d8edd06e16e1fbf36127ef55586e1112e0b70c)
diff --git a/src/nfc/llcp/llcp_util.cc b/src/nfc/llcp/llcp_util.cc
index 973a1b9..7c5d851 100644
--- a/src/nfc/llcp/llcp_util.cc
+++ b/src/nfc/llcp/llcp_util.cc
@@ -55,19 +55,29 @@
BE_STREAM_TO_UINT8(param_len, p);
if (length < param_len + 2) {
android_errorWriteLog(0x534e4554, "114238578");
- LOG(ERROR) << StringPrintf("Bad LTV's");
+ LOG(ERROR) << StringPrintf("Bad TLV's");
return false;
}
length -= param_len + 2;
switch (param_type) {
case LLCP_VERSION_TYPE:
+ if (param_len != LLCP_VERSION_LEN) {
+ android_errorWriteLog(0x534e4554, "114238578");
+ LOG(ERROR) << StringPrintf("Bad TLV's");
+ return false;
+ }
BE_STREAM_TO_UINT8(llcp_cb.lcb.peer_version, p);
DLOG_IF(INFO, nfc_debug_enabled)
<< StringPrintf("Peer Version - 0x%02X", llcp_cb.lcb.peer_version);
break;
case LLCP_MIUX_TYPE:
+ if (param_len != LLCP_MIUX_LEN) {
+ android_errorWriteLog(0x534e4554, "114238578");
+ LOG(ERROR) << StringPrintf("Bad TLV's");
+ return false;
+ }
BE_STREAM_TO_UINT16(llcp_cb.lcb.peer_miu, p);
llcp_cb.lcb.peer_miu &= LLCP_MIUX_MASK;
llcp_cb.lcb.peer_miu += LLCP_DEFAULT_MIU;
@@ -76,12 +86,22 @@
break;
case LLCP_WKS_TYPE:
+ if (param_len != LLCP_WKS_LEN) {
+ android_errorWriteLog(0x534e4554, "114238578");
+ LOG(ERROR) << StringPrintf("Bad TLV's");
+ return false;
+ }
BE_STREAM_TO_UINT16(llcp_cb.lcb.peer_wks, p);
DLOG_IF(INFO, nfc_debug_enabled)
<< StringPrintf("Peer WKS - 0x%04X", llcp_cb.lcb.peer_wks);
break;
case LLCP_LTO_TYPE:
+ if (param_len != LLCP_LTO_LEN) {
+ android_errorWriteLog(0x534e4554, "114238578");
+ LOG(ERROR) << StringPrintf("Bad TLV's");
+ return false;
+ }
BE_STREAM_TO_UINT8(llcp_cb.lcb.peer_lto, p);
llcp_cb.lcb.peer_lto *= LLCP_LTO_UNIT; /* 10ms unit */
DLOG_IF(INFO, nfc_debug_enabled)
@@ -89,6 +109,11 @@
break;
case LLCP_OPT_TYPE:
+ if (param_len != LLCP_OPT_LEN) {
+ android_errorWriteLog(0x534e4554, "114238578");
+ LOG(ERROR) << StringPrintf("Bad TLV's");
+ return false;
+ }
BE_STREAM_TO_UINT8(llcp_cb.lcb.peer_opt, p);
DLOG_IF(INFO, nfc_debug_enabled)
<< StringPrintf("Peer OPT - 0x%02X", llcp_cb.lcb.peer_opt);
@@ -474,13 +499,18 @@
/* check remaining lengh */
if (length < param_len + 2) {
android_errorWriteLog(0x534e4554, "111660010");
- LOG(ERROR) << StringPrintf("Bad LTV's");
+ LOG(ERROR) << StringPrintf("Bad TLV's");
return LLCP_STATUS_FAIL;
}
length -= param_len + 2;
switch (param_type) {
case LLCP_MIUX_TYPE:
+ if (param_len != LLCP_MIUX_LEN) {
+ android_errorWriteLog(0x534e4554, "111660010");
+ LOG(ERROR) << StringPrintf("Bad TLV's");
+ return LLCP_STATUS_FAIL;
+ }
BE_STREAM_TO_UINT16(p_params->miu, p);
p_params->miu &= LLCP_MIUX_MASK;
p_params->miu += LLCP_DEFAULT_MIU;
@@ -490,6 +520,11 @@
break;
case LLCP_RW_TYPE:
+ if (param_len != LLCP_RW_LEN) {
+ android_errorWriteLog(0x534e4554, "111660010");
+ LOG(ERROR) << StringPrintf("Bad TLV's");
+ return LLCP_STATUS_FAIL;
+ }
BE_STREAM_TO_UINT8(p_params->rw, p);
p_params->rw &= 0x0F;
@@ -600,13 +635,18 @@
BE_STREAM_TO_UINT8(param_len, p);
if (length < param_len + 2) {
android_errorWriteLog(0x534e4554, "114237888");
- LOG(ERROR) << StringPrintf("Bad LTV's");
+ LOG(ERROR) << StringPrintf("Bad TLV's");
return LLCP_STATUS_FAIL;
}
length -= param_len + 2;
switch (param_type) {
case LLCP_MIUX_TYPE:
+ if (param_len != LLCP_MIUX_LEN) {
+ android_errorWriteLog(0x534e4554, "114237888");
+ LOG(ERROR) << StringPrintf("Bad TLV's");
+ return LLCP_STATUS_FAIL;
+ }
BE_STREAM_TO_UINT16((*p_miu), p);
(*p_miu) &= LLCP_MIUX_MASK;
(*p_miu) += LLCP_DEFAULT_MIU;
@@ -616,6 +656,11 @@
break;
case LLCP_RW_TYPE:
+ if (param_len != LLCP_RW_LEN) {
+ android_errorWriteLog(0x534e4554, "114237888");
+ LOG(ERROR) << StringPrintf("Bad TLV's");
+ return LLCP_STATUS_FAIL;
+ }
BE_STREAM_TO_UINT8((*p_rw), p);
(*p_rw) &= 0x0F;
