Snap for 5986893 from 0cc1b15ded971bbeb5d00d719d10026af957aaba to android10-tests-release
Change-Id: Ifbe39dcbd7f315670f719d1f4872a6ea1f4964fa
diff --git a/src/nfa/hci/nfa_hci_act.cc b/src/nfa/hci/nfa_hci_act.cc
index 89a56ca..4ad9754 100644
--- a/src/nfa/hci/nfa_hci_act.cc
+++ b/src/nfa/hci/nfa_hci_act.cc
@@ -25,6 +25,7 @@
#include <android-base/stringprintf.h>
#include <base/logging.h>
+#include <log/log.h>
#include "nfa_dm_int.h"
#include "nfa_hci_api.h"
@@ -1401,7 +1402,8 @@
} else if (nfa_hci_cb.param_in_use == NFA_HCI_SESSION_IDENTITY_INDEX) {
/* The only parameter we get when initializing is the session ID.
* Check for match. */
- if (!memcmp((uint8_t*)nfa_hci_cb.cfg.admin_gate.session_id, p_data,
+ if (data_len >= NFA_HCI_SESSION_ID_LEN &&
+ !memcmp((uint8_t*)nfa_hci_cb.cfg.admin_gate.session_id, p_data,
NFA_HCI_SESSION_ID_LEN)) {
/* Session has not changed, Set WHITELIST */
nfa_hciu_send_set_param_cmd(
@@ -1412,6 +1414,9 @@
* default session id */
nfa_hciu_send_clear_all_pipe_cmd();
nfa_hci_cb.b_hci_netwk_reset = true;
+ if (data_len < NFA_HCI_SESSION_ID_LEN) {
+ android_errorWriteLog(0x534e4554, "124524315");
+ }
}
}
break;
@@ -1464,7 +1469,8 @@
case NFA_HCI_ANY_GET_PARAMETER:
if (nfa_hci_cb.param_in_use == NFA_HCI_SESSION_IDENTITY_INDEX) {
- if (!memcmp((uint8_t*)default_session, p_data,
+ if (data_len >= NFA_HCI_SESSION_ID_LEN &&
+ !memcmp((uint8_t*)default_session, p_data,
NFA_HCI_SESSION_ID_LEN)) {
memcpy(&nfa_hci_cb.cfg.admin_gate
.session_id[(NFA_HCI_SESSION_ID_LEN / 2)],
@@ -1479,6 +1485,9 @@
NFA_HCI_SESSION_ID_LEN,
(uint8_t*)nfa_hci_cb.cfg.admin_gate.session_id);
} else {
+ if (data_len < NFA_HCI_SESSION_ID_LEN) {
+ android_errorWriteLog(0x534e4554, "124524315");
+ }
if (nfa_hci_cb.hci_state == NFA_HCI_STATE_APP_DEREGISTER)
nfa_hci_api_deregister(nullptr);
else if (nfa_hci_cb.hci_state == NFA_HCI_STATE_REMOVE_GATE)
@@ -1486,6 +1495,10 @@
}
} else if (nfa_hci_cb.param_in_use == NFA_HCI_HOST_LIST_INDEX) {
evt_data.hosts.status = status;
+ if (data_len > NFA_HCI_MAX_HOST_IN_NETWORK) {
+ data_len = NFA_HCI_MAX_HOST_IN_NETWORK;
+ android_errorWriteLog(0x534e4554, "124524315");
+ }
evt_data.hosts.num_hosts = data_len;
memcpy(evt_data.hosts.host, p_data, data_len);
@@ -1523,7 +1536,8 @@
break;
case NFA_HCI_ADM_CREATE_PIPE:
- if (status == NFA_STATUS_OK) {
+ // p_data should have at least 5 bytes length for pipe info
+ if (data_len >= 5 && status == NFA_STATUS_OK) {
STREAM_TO_UINT8(source_host, p_data);
STREAM_TO_UINT8(source_gate, p_data);
STREAM_TO_UINT8(dest_host, p_data);
@@ -1540,6 +1554,9 @@
}
nfa_hciu_add_pipe_to_gate(pipe, source_gate, dest_host, dest_gate);
+ } else if (data_len < 5 && status == NFA_STATUS_OK) {
+ android_errorWriteLog(0x534e4554, "124524315");
+ status = NFA_STATUS_FAILED;
}
/* Tell the application his pipe was created or not */
diff --git a/src/nfc/tags/rw_i93.cc b/src/nfc/tags/rw_i93.cc
index 46f2bc8..495ee8f 100644
--- a/src/nfc/tags/rw_i93.cc
+++ b/src/nfc/tags/rw_i93.cc
@@ -50,6 +50,8 @@
#define RW_I93_FORMAT_DATA_LEN 8
/* max getting lock status if get multi block sec is supported */
#define RW_I93_GET_MULTI_BLOCK_SEC_SIZE 253
+/*Capability Container CC Size */
+#define RW_I93_CC_SIZE 4
/* main state */
enum {
@@ -1743,8 +1745,14 @@
case RW_I93_SUBSTATE_WAIT_CC:
- /* assume block size is more than 4 */
- STREAM_TO_ARRAY(cc, p, 4);
+ if (length < RW_I93_CC_SIZE) {
+ android_errorWriteLog(0x534e4554, "139188579");
+ rw_i93_handle_error(NFC_STATUS_FAILED);
+ return;
+ }
+
+ /* assume block size is more than RW_I93_CC_SIZE 4 */
+ STREAM_TO_ARRAY(cc, p, RW_I93_CC_SIZE);
status = NFC_STATUS_FAILED;
@@ -2798,6 +2806,12 @@
switch (p_i93->sub_state) {
case RW_I93_SUBSTATE_WAIT_CC:
+ if (length < RW_I93_CC_SIZE) {
+ android_errorWriteLog(0x534e4554, "139188579");
+ rw_i93_handle_error(NFC_STATUS_FAILED);
+ return;
+ }
+
/* mark CC as read-only */
*(p + 1) |= I93_ICODE_CC_READ_ONLY;
