Prevent integer underflow in rw_t3t_act_handle_check_ndef_rsp()
Bug: 120502559
Test: NFC Enable/Disable, Read T3T Tag
Change-Id: I25389b85b14e74b0a20eb2e41373b5708ea057b1
(cherry picked from commit 4d9b1dd02bf82a76c4c67d9a52139fef6db9bc34)
diff --git a/src/nfc/tags/rw_t3t.cc b/src/nfc/tags/rw_t3t.cc
index 67526db..ea88fc9 100644
--- a/src/nfc/tags/rw_t3t.cc
+++ b/src/nfc/tags/rw_t3t.cc
@@ -1503,10 +1503,11 @@
T3T_MSG_OPC_CHECK_RSP, p_t3t_rsp[T3T_MSG_RSP_OFFSET_RSPCODE]);
nfc_status = NFC_STATUS_FAILED;
GKI_freebuf(p_msg_rsp);
- } else {
+ } else if (p_msg_rsp->len >= T3T_MSG_RSP_OFFSET_CHECK_DATA &&
+ p_t3t_rsp[T3T_MSG_RSP_OFFSET_NUMBLOCKS] > 0) {
/* Notify app of NDEF segment received */
- rsp_num_bytes_rx = p_t3t_rsp[T3T_MSG_RSP_OFFSET_NUMBLOCKS] *
- 16; /* Number of bytes received, according to header */
+ /* Number of bytes received, according to header */
+ rsp_num_bytes_rx = p_t3t_rsp[T3T_MSG_RSP_OFFSET_NUMBLOCKS] * 16;
p_cb->ndef_rx_offset += p_cb->ndef_rx_readlen;
p_msg_rsp->offset +=
T3T_MSG_RSP_OFFSET_CHECK_DATA; /* Skip over t3t header (point to block
@@ -1546,6 +1547,11 @@
}
}
}
+ } else {
+ android_errorWriteLog(0x534e4554, "120502559");
+ GKI_freebuf(p_msg_rsp);
+ nfc_status = NFC_STATUS_FAILED;
+ LOG(ERROR) << StringPrintf("Underflow in p_msg_rsp->len!");
}
/* Notify app of RW_T3T_CHECK_CPLT_EVT if entire NDEF has been read, or if
