Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / hardware / nxp / nfc / 069e142ba18c4296d05c7cc0748083f7bb814859^! / .
commit069e142ba18c4296d05c7cc0748083f7bb814859[log] [tgz]
authorAlisher Alikhodjaev <alisher@google.com>Tue Jan 24 21:42:11 2023 +0000
committerFairphone ODM <fairphone-odm@localhost>Mon Apr 10 15:32:09 2023 +0800
tree6dfc9370b0ca8b734aef50c9d6478e2dccf5b0e1
parentda0f1cc6caf9cae9e3f20bb39844062dae7ec9b3 [diff]
Revert "OOBR in NxpMfcReader::SendIncDecRestoreCmdPart2"

This reverts commit 385141739f4209ef6dd3968dd841a7e3a25b50af.

Reason for revert: CVE-2022-20471 re-released due to functional regression

Change-Id: I188dac7bd3475e96b6c78ef5992b6422522b205e
Merged-In: I904041f179a50f56bd6454e3f414915c9ab61edd
(cherry picked from commit 415918b18760ad3caa32e67e5ed35dddadadb7d3)
Merged-In: I188dac7bd3475e96b6c78ef5992b6422522b205e
(cherry picked from commit f4bad97844ee445f65597190ad8e3270231dec1b)

diff --git a/pn8x/halimpl/mifare/NxpMfcReader.cc b/pn8x/halimpl/mifare/NxpMfcReader.cc
index 23a482e..ba850eb 100644
--- a/pn8x/halimpl/mifare/NxpMfcReader.cc
+++ b/pn8x/halimpl/mifare/NxpMfcReader.cc

@@ -59,7 +59,7 @@
   /* send TAG_CMD part 2 for Mifare increment ,decrement and restore commands */
   if (mfcTagCmdBuff[4] == eMifareDec || mfcTagCmdBuff[4] == eMifareInc ||
       mfcTagCmdBuff[4] == eMifareRestore) {
-    SendIncDecRestoreCmdPart2(mfcDataLen, pMfcData);
+    SendIncDecRestoreCmdPart2(pMfcData);
   }
   return writtenDataLen;
 }
@@ -263,20 +263,14 @@
 ** Returns          None
 **
 *******************************************************************************/
-void NxpMfcReader::SendIncDecRestoreCmdPart2(uint16_t mfcDataLen,
-                                             const uint8_t* mfcData) {
+void NxpMfcReader::SendIncDecRestoreCmdPart2(const uint8_t* mfcData) {
   NFCSTATUS status = NFCSTATUS_SUCCESS;
   /* Build TAG_CMD part 2 for Mifare increment ,decrement and restore commands*/
   uint8_t incDecRestorePart2[] = {0x00, 0x00, 0x05, (uint8_t)eMfRawDataXchgHdr,
                                   0x00, 0x00, 0x00, 0x00};
   uint8_t incDecRestorePart2Size =
       (sizeof(incDecRestorePart2) / sizeof(incDecRestorePart2[0]));
-
   if (mfcData[3] == eMifareInc || mfcData[3] == eMifareDec) {
-    if (incDecRestorePart2Size >= mfcDataLen) {
-      incDecRestorePart2Size = mfcDataLen - 1;
-      android_errorWriteLog(0x534e4554, "238177877");
-    }
     for (int i = 4; i < incDecRestorePart2Size; i++) {
       incDecRestorePart2[i] = mfcData[i + 1];
     }

diff --git a/pn8x/halimpl/mifare/NxpMfcReader.h b/pn8x/halimpl/mifare/NxpMfcReader.h
index 97f6ccb..8820eaf 100644
--- a/pn8x/halimpl/mifare/NxpMfcReader.h
+++ b/pn8x/halimpl/mifare/NxpMfcReader.h

@@ -109,7 +109,7 @@
   void BuildIncDecCmd();
   void CalcSectorAddress();
   void AuthForWrite();
-  void SendIncDecRestoreCmdPart2(uint16_t mfcDataLen, const uint8_t* mfcData);
+  void SendIncDecRestoreCmdPart2(const uint8_t* mfcData);
 
  public:
   int Write(uint16_t mfcDataLen, const uint8_t* pMfcData);
@@ -117,4 +117,4 @@
   NFCSTATUS CheckMfcResponse(uint8_t* pTransceiveData,
                              uint16_t transceiveDataLen);
   static NxpMfcReader& getInstance();
-};
+};
\ No newline at end of file

diff --git a/snxxx/halimpl/mifare/NxpMfcReader.cc b/snxxx/halimpl/mifare/NxpMfcReader.cc
index b4ca679..b111ace 100644
--- a/snxxx/halimpl/mifare/NxpMfcReader.cc
+++ b/snxxx/halimpl/mifare/NxpMfcReader.cc

@@ -54,7 +54,7 @@
   /* send TAG_CMD part 2 for Mifare increment ,decrement and restore commands */
   if (mfcTagCmdBuff[4] == eMifareDec || mfcTagCmdBuff[4] == eMifareInc ||
       mfcTagCmdBuff[4] == eMifareRestore) {
-    SendIncDecRestoreCmdPart2(mfcDataLen, pMfcData);
+    SendIncDecRestoreCmdPart2(pMfcData);
   }
   return writtenDataLen;
 }
@@ -262,20 +262,14 @@
 ** Returns          None
 **
 *******************************************************************************/
-void NxpMfcReader::SendIncDecRestoreCmdPart2(uint16_t mfcDataLen,
-                                             const uint8_t* mfcData) {
+void NxpMfcReader::SendIncDecRestoreCmdPart2(const uint8_t* mfcData) {
   NFCSTATUS status = NFCSTATUS_SUCCESS;
   /* Build TAG_CMD part 2 for Mifare increment ,decrement and restore commands*/
   uint8_t incDecRestorePart2[] = {0x00, 0x00, 0x05, (uint8_t)eMfRawDataXchgHdr,
                                   0x00, 0x00, 0x00, 0x00};
   uint8_t incDecRestorePart2Size =
       (sizeof(incDecRestorePart2) / sizeof(incDecRestorePart2[0]));
-
   if (mfcData[3] == eMifareInc || mfcData[3] == eMifareDec) {
-    if (incDecRestorePart2Size >= mfcDataLen) {
-      incDecRestorePart2Size = mfcDataLen - 1;
-      android_errorWriteLog(0x534e4554, "238177877");
-    }
     for (int i = 4; i < incDecRestorePart2Size; i++) {
       incDecRestorePart2[i] = mfcData[i + 1];
     }

diff --git a/snxxx/halimpl/mifare/NxpMfcReader.h b/snxxx/halimpl/mifare/NxpMfcReader.h
index ce39c85..b5bfb6f 100644
--- a/snxxx/halimpl/mifare/NxpMfcReader.h
+++ b/snxxx/halimpl/mifare/NxpMfcReader.h

@@ -109,7 +109,7 @@
   void BuildIncDecCmd();
   void CalcSectorAddress();
   void AuthForWrite();
-  void SendIncDecRestoreCmdPart2(uint16_t mfcDataLen, const uint8_t* mfcData);
+  void SendIncDecRestoreCmdPart2(const uint8_t* mfcData);
 
  public:
   int Write(uint16_t mfcDataLen, const uint8_t* pMfcData);