Potential OOB read in nfc_ncif_proc_ee_action
Bug: 157649306
Test: build ok
Change-Id: I0f79b50a46bb7b03e08f25f5cfb8d6e7d38e8795
diff --git a/src/nfc/nfc/nfc_ncif.cc b/src/nfc/nfc/nfc_ncif.cc
index 489b84f..d76ccf3b 100644
--- a/src/nfc/nfc/nfc_ncif.cc
+++ b/src/nfc/nfc/nfc_ncif.cc
@@ -1426,16 +1426,26 @@
void nfc_ncif_proc_ee_action(uint8_t* p, uint16_t plen) {
tNFC_EE_ACTION_REVT evt_data;
tNFC_RESPONSE_CBACK* p_cback = nfc_cb.p_resp_cback;
+ tNFC_RESPONSE nfc_response;
uint8_t data_len, ulen, tag, *p_data;
uint8_t max_len;
if (p_cback) {
memset(&evt_data.act_data, 0, sizeof(tNFC_ACTION_DATA));
+ if (plen > 3) {
+ plen -= 3;
+ } else {
+ evt_data.status = NFC_STATUS_FAILED;
+ evt_data.nfcee_id = 0;
+ nfc_response.ee_action = evt_data;
+ (*p_cback)(NFC_EE_ACTION_REVT, &nfc_response);
+ android_errorWriteLog(0x534e4554, "157649306");
+ return;
+ }
evt_data.status = NFC_STATUS_OK;
evt_data.nfcee_id = *p++;
evt_data.act_data.trigger = *p++;
data_len = *p++;
- if (plen >= 3) plen -= 3;
if (data_len > plen) data_len = (uint8_t)plen;
switch (evt_data.act_data.trigger) {
@@ -1478,7 +1488,6 @@
}
break;
}
- tNFC_RESPONSE nfc_response;
nfc_response.ee_action = evt_data;
(*p_cback)(NFC_EE_ACTION_REVT, &nfc_response);
}