OOBR in NxpMfcReader::SendIncDecRestoreCmdPart2
Bug: 238177877
Test: build ok
Merged-In: I2b412a44099021da923bda23fad1e17e961b86aa
Change-Id: Idec58a09db2346bd340b33293cc5b67f2490b5ff
(cherry picked from commit a77b3b8ceacfd75cac672ded4301fadebb3811e4)
Merged-In: Idec58a09db2346bd340b33293cc5b67f2490b5ff
(cherry picked from commit ad5e22975df2df5198e8d8e3df0c59d31262776e)
diff --git a/pn8x/halimpl/mifare/NxpMfcReader.cc b/pn8x/halimpl/mifare/NxpMfcReader.cc
index ba850eb..602a2b7 100644
--- a/pn8x/halimpl/mifare/NxpMfcReader.cc
+++ b/pn8x/halimpl/mifare/NxpMfcReader.cc
@@ -53,13 +53,13 @@
BuildMfcCmd(&mfcTagCmdBuff[3], &mfcTagCmdBuffLen);
mfcTagCmdBuff[2] = mfcTagCmdBuffLen;
- mfcDataLen = mfcTagCmdBuffLen + NCI_HEADER_SIZE;
- int writtenDataLen = phNxpNciHal_write_internal(mfcDataLen, mfcTagCmdBuff);
+ int writtenDataLen = phNxpNciHal_write_internal(
+ mfcTagCmdBuffLen + NCI_HEADER_SIZE, mfcTagCmdBuff);
/* send TAG_CMD part 2 for Mifare increment ,decrement and restore commands */
if (mfcTagCmdBuff[4] == eMifareDec || mfcTagCmdBuff[4] == eMifareInc ||
mfcTagCmdBuff[4] == eMifareRestore) {
- SendIncDecRestoreCmdPart2(pMfcData);
+ SendIncDecRestoreCmdPart2(mfcDataLen, pMfcData);
}
return writtenDataLen;
}
@@ -263,7 +263,8 @@
** Returns None
**
*******************************************************************************/
-void NxpMfcReader::SendIncDecRestoreCmdPart2(const uint8_t* mfcData) {
+void NxpMfcReader::SendIncDecRestoreCmdPart2(uint16_t mfcDataLen,
+ const uint8_t* mfcData) {
NFCSTATUS status = NFCSTATUS_SUCCESS;
/* Build TAG_CMD part 2 for Mifare increment ,decrement and restore commands*/
uint8_t incDecRestorePart2[] = {0x00, 0x00, 0x05, (uint8_t)eMfRawDataXchgHdr,
@@ -271,6 +272,10 @@
uint8_t incDecRestorePart2Size =
(sizeof(incDecRestorePart2) / sizeof(incDecRestorePart2[0]));
if (mfcData[3] == eMifareInc || mfcData[3] == eMifareDec) {
+ if (incDecRestorePart2Size >= mfcDataLen) {
+ incDecRestorePart2Size = mfcDataLen - 1;
+ android_errorWriteLog(0x534e4554, "238177877");
+ }
for (int i = 4; i < incDecRestorePart2Size; i++) {
incDecRestorePart2[i] = mfcData[i + 1];
}
diff --git a/pn8x/halimpl/mifare/NxpMfcReader.h b/pn8x/halimpl/mifare/NxpMfcReader.h
index 8820eaf..97f6ccb 100644
--- a/pn8x/halimpl/mifare/NxpMfcReader.h
+++ b/pn8x/halimpl/mifare/NxpMfcReader.h
@@ -109,7 +109,7 @@
void BuildIncDecCmd();
void CalcSectorAddress();
void AuthForWrite();
- void SendIncDecRestoreCmdPart2(const uint8_t* mfcData);
+ void SendIncDecRestoreCmdPart2(uint16_t mfcDataLen, const uint8_t* mfcData);
public:
int Write(uint16_t mfcDataLen, const uint8_t* pMfcData);
@@ -117,4 +117,4 @@
NFCSTATUS CheckMfcResponse(uint8_t* pTransceiveData,
uint16_t transceiveDataLen);
static NxpMfcReader& getInstance();
-};
\ No newline at end of file
+};
diff --git a/snxxx/halimpl/mifare/NxpMfcReader.cc b/snxxx/halimpl/mifare/NxpMfcReader.cc
index b111ace..83fe1d9 100644
--- a/snxxx/halimpl/mifare/NxpMfcReader.cc
+++ b/snxxx/halimpl/mifare/NxpMfcReader.cc
@@ -43,18 +43,23 @@
uint16_t mfcTagCmdBuffLen = 0;
uint8_t mfcTagCmdBuff[MAX_MFC_BUFF_SIZE] = {0};
+ if (mfcDataLen > MAX_MFC_BUFF_SIZE) {
+ android_errorWriteLog(0x534e4554, "169259605");
+ mfcDataLen = MAX_MFC_BUFF_SIZE;
+ }
+
memcpy(mfcTagCmdBuff, pMfcData, mfcDataLen);
if (mfcDataLen >= 3) mfcTagCmdBuffLen = mfcDataLen - NCI_HEADER_SIZE;
BuildMfcCmd(&mfcTagCmdBuff[3], &mfcTagCmdBuffLen);
mfcTagCmdBuff[2] = mfcTagCmdBuffLen;
- mfcDataLen = mfcTagCmdBuffLen + NCI_HEADER_SIZE;
- int writtenDataLen = phNxpNciHal_write_internal(mfcDataLen, mfcTagCmdBuff);
+ int writtenDataLen = phNxpNciHal_write_internal(
+ mfcTagCmdBuffLen + NCI_HEADER_SIZE, mfcTagCmdBuff);
/* send TAG_CMD part 2 for Mifare increment ,decrement and restore commands */
if (mfcTagCmdBuff[4] == eMifareDec || mfcTagCmdBuff[4] == eMifareInc ||
mfcTagCmdBuff[4] == eMifareRestore) {
- SendIncDecRestoreCmdPart2(pMfcData);
+ SendIncDecRestoreCmdPart2(mfcDataLen, pMfcData);
}
return writtenDataLen;
}
@@ -262,7 +267,8 @@
** Returns None
**
*******************************************************************************/
-void NxpMfcReader::SendIncDecRestoreCmdPart2(const uint8_t* mfcData) {
+void NxpMfcReader::SendIncDecRestoreCmdPart2(uint16_t mfcDataLen,
+ const uint8_t* mfcData) {
NFCSTATUS status = NFCSTATUS_SUCCESS;
/* Build TAG_CMD part 2 for Mifare increment ,decrement and restore commands*/
uint8_t incDecRestorePart2[] = {0x00, 0x00, 0x05, (uint8_t)eMfRawDataXchgHdr,
@@ -270,6 +276,10 @@
uint8_t incDecRestorePart2Size =
(sizeof(incDecRestorePart2) / sizeof(incDecRestorePart2[0]));
if (mfcData[3] == eMifareInc || mfcData[3] == eMifareDec) {
+ if (incDecRestorePart2Size >= mfcDataLen) {
+ incDecRestorePart2Size = mfcDataLen - 1;
+ android_errorWriteLog(0x534e4554, "238177877");
+ }
for (int i = 4; i < incDecRestorePart2Size; i++) {
incDecRestorePart2[i] = mfcData[i + 1];
}
diff --git a/snxxx/halimpl/mifare/NxpMfcReader.h b/snxxx/halimpl/mifare/NxpMfcReader.h
index b5bfb6f..4ae8009 100644
--- a/snxxx/halimpl/mifare/NxpMfcReader.h
+++ b/snxxx/halimpl/mifare/NxpMfcReader.h
@@ -109,7 +109,7 @@
void BuildIncDecCmd();
void CalcSectorAddress();
void AuthForWrite();
- void SendIncDecRestoreCmdPart2(const uint8_t* mfcData);
+ void SendIncDecRestoreCmdPart2(uint16_t mfcDataLen, const uint8_t* mfcData);
public:
int Write(uint16_t mfcDataLen, const uint8_t* pMfcData);
@@ -117,4 +117,4 @@
NFCSTATUS CheckMfcResponse(uint8_t* pTransceiveData,
uint16_t transceiveDataLen);
static NxpMfcReader& getInstance();
-};
\ No newline at end of file
+};