Prevent Out of bounds read in llcp code part 2 Bug: 114238578 Bug: 114237888 Bug: 111660010 Test: Tag read/write; Card Emulation Merged-In: Ie1e7f3285e2fcf88382b2be8bb09e1f9fb98be03 Change-Id: Ie1e7f3285e2fcf88382b2be8bb09e1f9fb98be03 (cherry picked from commit cf1627d9d3c59dd30e7e4c12d4a95b8f051f644e) (cherry picked from commit fffa48776b39af50d6e1ca865848ca85f6233fa1)

commit: e9caca1e81844fa08c4519d5fc35fcb26941d9de [log] [tgz]
author: Ruchi Kandoi <kandoiruchi@google.com> Thu Sep 27 16:43:01 2018 -0700
committer: android-build-team Robot <android-build-team-robot@google.com> Fri Oct 19 16:33:18 2018 +0000
tree: bdf19179c3317e7516202e8a56c31453ce668e1e
parent: 4a9f1c32c386a51fe48a2c6369a64784e2446f3c [diff]
diff --git a/src/nfc/llcp/llcp_util.c b/src/nfc/llcp/llcp_util.c
index 6f10d12..3b984e3 100644
--- a/src/nfc/llcp/llcp_util.c
+++ b/src/nfc/llcp/llcp_util.c

@@ -50,18 +50,28 @@
     BE_STREAM_TO_UINT8(param_len, p);
     if (length < param_len + 2) {
       android_errorWriteLog(0x534e4554, "114238578");
-      LLCP_TRACE_ERROR0("llcp_util_parse_link_params (): Bad LTV's");
+      LLCP_TRACE_ERROR0("llcp_util_parse_link_params (): Bad TLV's");
       return false;
     }
     length -= param_len + 2;
 
     switch (param_type) {
       case LLCP_VERSION_TYPE:
+        if (param_len != LLCP_VERSION_LEN) {
+          android_errorWriteLog(0x534e4554, "114238578");
+          LLCP_TRACE_ERROR0("llcp_util_parse_link_params (): Bad TLV's");
+          return false;
+        }
         BE_STREAM_TO_UINT8(llcp_cb.lcb.peer_version, p);
         LLCP_TRACE_DEBUG1("Peer Version - 0x%02X", llcp_cb.lcb.peer_version);
         break;
 
       case LLCP_MIUX_TYPE:
+        if (param_len != LLCP_MIUX_LEN) {
+          android_errorWriteLog(0x534e4554, "114238578");
+          LLCP_TRACE_ERROR0("llcp_util_parse_link_params (): Bad TLV's");
+          return false;
+        }
         BE_STREAM_TO_UINT16(llcp_cb.lcb.peer_miu, p);
         llcp_cb.lcb.peer_miu &= LLCP_MIUX_MASK;
         llcp_cb.lcb.peer_miu += LLCP_DEFAULT_MIU;
@@ -69,17 +79,32 @@
         break;
 
       case LLCP_WKS_TYPE:
+        if (param_len != LLCP_WKS_LEN) {
+          android_errorWriteLog(0x534e4554, "114238578");
+          LLCP_TRACE_ERROR0("llcp_util_parse_link_params (): Bad TLV's");
+          return false;
+        }
         BE_STREAM_TO_UINT16(llcp_cb.lcb.peer_wks, p);
         LLCP_TRACE_DEBUG1("Peer WKS - 0x%04X", llcp_cb.lcb.peer_wks);
         break;
 
       case LLCP_LTO_TYPE:
+        if (param_len != LLCP_LTO_LEN) {
+          android_errorWriteLog(0x534e4554, "114238578");
+          LLCP_TRACE_ERROR0("llcp_util_parse_link_params (): Bad TLV's");
+          return false;
+        }
         BE_STREAM_TO_UINT8(llcp_cb.lcb.peer_lto, p);
         llcp_cb.lcb.peer_lto *= LLCP_LTO_UNIT; /* 10ms unit */
         LLCP_TRACE_DEBUG1("Peer LTO - %d ms", llcp_cb.lcb.peer_lto);
         break;
 
       case LLCP_OPT_TYPE:
+        if (param_len != LLCP_OPT_LEN) {
+          android_errorWriteLog(0x534e4554, "114238578");
+          LLCP_TRACE_ERROR0("llcp_util_parse_link_params (): Bad TLV's");
+          return false;
+        }
         BE_STREAM_TO_UINT8(llcp_cb.lcb.peer_opt, p);
         LLCP_TRACE_DEBUG1("Peer OPT - 0x%02X", llcp_cb.lcb.peer_opt);
         break;
@@ -467,13 +492,18 @@
     /* check remaining lengh */
     if (length < param_len + 2) {
       android_errorWriteLog(0x534e4554, "111660010");
-      LLCP_TRACE_ERROR0("llcp_util_parse_connect (): Bad LTV's");
+      LLCP_TRACE_ERROR0("llcp_util_parse_connect (): Bad TLV's");
       return LLCP_STATUS_FAIL;
     }
     length -= param_len + 2;
 
     switch (param_type) {
       case LLCP_MIUX_TYPE:
+        if (param_len != LLCP_MIUX_LEN) {
+          android_errorWriteLog(0x534e4554, "111660010");
+          LLCP_TRACE_ERROR0("llcp_util_parse_connect (): Bad TLV's");
+          return LLCP_STATUS_FAIL;
+        }
         BE_STREAM_TO_UINT16(p_params->miu, p);
         p_params->miu &= LLCP_MIUX_MASK;
         p_params->miu += LLCP_DEFAULT_MIU;
@@ -483,6 +513,11 @@
         break;
 
       case LLCP_RW_TYPE:
+        if (param_len != LLCP_RW_LEN) {
+          android_errorWriteLog(0x534e4554, "111660010");
+          LLCP_TRACE_ERROR0("llcp_util_parse_connect (): Bad TLV's");
+          return LLCP_STATUS_FAIL;
+        }
         BE_STREAM_TO_UINT8(p_params->rw, p);
         p_params->rw &= 0x0F;
 
@@ -595,13 +630,18 @@
     BE_STREAM_TO_UINT8(param_len, p);
     if (length < param_len + 2) {
       android_errorWriteLog(0x534e4554, "114237888");
-      LLCP_TRACE_ERROR0("llcp_util_parse_cc (): Bad LTV's");
+      LLCP_TRACE_ERROR0("llcp_util_parse_cc (): Bad TLV's");
       return LLCP_STATUS_FAIL;
     }
     length -= param_len + 2;
 
     switch (param_type) {
       case LLCP_MIUX_TYPE:
+        if (param_len != LLCP_MIUX_LEN) {
+          android_errorWriteLog(0x534e4554, "114237888");
+          LLCP_TRACE_ERROR0("llcp_util_parse_cc (): Bad TLV's");
+          return LLCP_STATUS_FAIL;
+        }
         BE_STREAM_TO_UINT16((*p_miu), p);
         (*p_miu) &= LLCP_MIUX_MASK;
         (*p_miu) += LLCP_DEFAULT_MIU;
@@ -610,6 +650,11 @@
         break;
 
       case LLCP_RW_TYPE:
+        if (param_len != LLCP_RW_LEN) {
+          android_errorWriteLog(0x534e4554, "114237888");
+          LLCP_TRACE_ERROR0("llcp_util_parse_cc (): Bad TLV's");
+          return LLCP_STATUS_FAIL;
+        }
         BE_STREAM_TO_UINT8((*p_rw), p);
         (*p_rw) &= 0x0F;
commit	e9caca1e81844fa08c4519d5fc35fcb26941d9de	[log] [tgz]
author	Ruchi Kandoi <kandoiruchi@google.com>	Thu Sep 27 16:43:01 2018 -0700
committer	android-build-team Robot <android-build-team-robot@google.com>	Fri Oct 19 16:33:18 2018 +0000
tree	bdf19179c3317e7516202e8a56c31453ce668e1e
parent	4a9f1c32c386a51fe48a2c6369a64784e2446f3c [diff]