Merge the 2019-10-05 SPL branch from AOSP-Partner
* security-aosp-nyc-mr2-release:
Prevent OOB read in rw_t4t.cc
Prevent integer overflow in NDEF_MsgValidate
Change-Id: I5185fd0e794f37b2fe3001bb1f945415dc54c3b8
diff --git a/src/nfc/include/tags_defs.h b/src/nfc/include/tags_defs.h
index 14d2859..95cc984 100644
--- a/src/nfc/include/tags_defs.h
+++ b/src/nfc/include/tags_defs.h
@@ -384,6 +384,7 @@
#define T4T_FILE_LENGTH_SIZE 0x02
#define T4T_ADDI_FRAME_RESP 0xAFU
+#define T4T_DES_GET_VERSION_LEN 0x09
#define T4T_SIZE_IDENTIFIER_2K 0x16U
#define T4T_SIZE_IDENTIFIER_4K 0x18U
#define T4T_SIZE_IDENTIFIER_8K 0x1AU
diff --git a/src/nfc/ndef/ndef_utils.c b/src/nfc/ndef/ndef_utils.c
index 974005a..0c4f320 100644
--- a/src/nfc/ndef/ndef_utils.c
+++ b/src/nfc/ndef/ndef_utils.c
@@ -24,6 +24,7 @@
*
******************************************************************************/
#include <string.h>
+#include <log/log.h>
#include "ndef_utils.h"
/*******************************************************************************
@@ -80,6 +81,7 @@
{
UINT8 *p_rec = p_msg;
UINT8 *p_end = p_msg + msg_len;
+ UINT8 *p_new;
UINT8 rec_hdr=0, type_len, id_len;
int count;
UINT32 payload_len;
@@ -187,6 +189,14 @@
return (NDEF_MSG_LENGTH_MISMATCH);
}
+ /* Check for OOB */
+ p_new = p_rec + (payload_len + type_len + id_len);
+ if (p_rec > p_new || p_end < p_new)
+ {
+ android_errorWriteLog(0x534e4554, "126200054");
+ return (NDEF_MSG_LENGTH_MISMATCH);
+ }
+
/* Point to next record */
p_rec += (payload_len + type_len + id_len);
diff --git a/src/nfc/tags/rw_t4t.c b/src/nfc/tags/rw_t4t.c
index c634591..044432d 100644
--- a/src/nfc/tags/rw_t4t.c
+++ b/src/nfc/tags/rw_t4t.c
@@ -23,6 +23,7 @@
* mode.
*
******************************************************************************/
+#include <log/log.h>
#include <string.h>
#include "nfc_target.h"
#include "bt_types.h"
@@ -220,6 +221,12 @@
UINT8 *p;
UINT16 major_version, minor_version;
+ if (p_r_apdu->len < T4T_DES_GET_VERSION_LEN) {
+ RW_TRACE_ERROR1("%s incorrect p_r_apdu length", __func__);
+ android_errorWriteLog(0x534e4554, "120865977");
+ return FALSE;
+ }
+
p = (UINT8 *) (p_r_apdu + 1) + p_r_apdu->offset;
major_version = *(p + 3);
minor_version = *(p + 4);
@@ -1070,6 +1077,8 @@
rw_data.t4t_sw.sw1 = sw1;
rw_data.t4t_sw.sw2 = sw2;
+ rw_data.ndef.cur_size = 0;
+ rw_data.ndef.max_size = 0;
switch (p_t4t->state)
{
@@ -1978,6 +1987,16 @@
RW_TRACE_DEBUG1 ("RW T4T state: %d", p_t4t->state);
#endif
+ if (p_t4t->state != RW_T4T_STATE_IDLE &&
+ p_t4t->state != RW_T4T_STATE_PRESENCE_CHECK &&
+ p_r_apdu->len < T4T_RSP_STATUS_WORDS_SIZE) {
+ RW_TRACE_ERROR1("%s incorrect p_r_apdu length", __func__);
+ android_errorWriteLog(0x534e4554, "120865977");
+ rw_t4t_handle_error(NFC_STATUS_FAILED, 0, 0);
+ GKI_freebuf(p_r_apdu);
+ return;
+ }
+
switch (p_t4t->state)
{
case RW_T4T_STATE_IDLE: