Merge branch 'dev/11/fp3/security-aosp-rvc-release' into int/11/fp3
* dev/11/fp3/security-aosp-rvc-release:
OOBR in AnalyzeMfcResp in NxpMfcReader.cc
Change-Id: I9a9a11d6da11a31b9e80b402e44ed93d7dae6ee5
diff --git a/1.1/Nfc.cpp b/1.1/Nfc.cpp
index 9954c1f..d4a4eb7 100755
--- a/1.1/Nfc.cpp
+++ b/1.1/Nfc.cpp
@@ -72,7 +72,7 @@
Return<V1_0::NfcStatus> Nfc::coreInitialized(const hidl_vec<uint8_t>& data) {
hidl_vec<uint8_t> copy = data;
- NFCSTATUS status = phNxpNciHal_core_initialized(©[0]);
+ NFCSTATUS status = phNxpNciHal_core_initialized(copy.size(), ©[0]);
return CHK_STATUS(status);
}
diff --git a/1.2/Nfc.cpp b/1.2/Nfc.cpp
index 540f982..bf1095b 100755
--- a/1.2/Nfc.cpp
+++ b/1.2/Nfc.cpp
@@ -71,7 +71,7 @@
Return<V1_0::NfcStatus> Nfc::coreInitialized(const hidl_vec<uint8_t>& data) {
hidl_vec<uint8_t> copy = data;
- NFCSTATUS status = phNxpNciHal_core_initialized(©[0]);
+ NFCSTATUS status = phNxpNciHal_core_initialized(copy.size(), ©[0]);
return CHK_STATUS(status);
}
diff --git a/halimpl/hal/phNxpNciHal.cc b/halimpl/hal/phNxpNciHal.cc
index f9a482d..f1a9594 100644
--- a/halimpl/hal/phNxpNciHal.cc
+++ b/halimpl/hal/phNxpNciHal.cc
@@ -1237,7 +1237,7 @@
* Returns Always returns NFCSTATUS_SUCCESS (0).
*
******************************************************************************/
-int phNxpNciHal_core_initialized(uint8_t* p_core_init_rsp_params) {
+int phNxpNciHal_core_initialized(uint16_t core_init_rsp_params_len, uint8_t* p_core_init_rsp_params) {
NFCSTATUS status = NFCSTATUS_SUCCESS;
static uint8_t p2p_listen_mode_routing_cmd[] = {0x21, 0x01, 0x07, 0x00, 0x01,
0x01, 0x03, 0x00, 0x01, 0x05};
@@ -1277,7 +1277,8 @@
if (nxpncihal_ctrl.halStatus != HAL_STATUS_OPEN) {
return NFCSTATUS_FAILED;
}
- if ((*p_core_init_rsp_params > 0) &&
+ if (core_init_rsp_params_len >= 1 &&
+ (*p_core_init_rsp_params > 0) &&
(*p_core_init_rsp_params < 4)) // initializing for recovery.
{
retry_core_init:
@@ -1711,7 +1712,8 @@
config_access = false;
// if recovery mode and length of last command is 0 then only reset the P2P
// listen mode routing.
- if ((*p_core_init_rsp_params > 0) && (*p_core_init_rsp_params < 4) &&
+ if (core_init_rsp_params_len >= 36 &&
+ (*p_core_init_rsp_params > 0) && (*p_core_init_rsp_params < 4) &&
p_core_init_rsp_params[35] == 0) {
/* P2P listen mode routing */
status = phNxpNciHal_send_ext_cmd(sizeof(p2p_listen_mode_routing_cmd),
@@ -1773,7 +1775,8 @@
}
}
- if ((*p_core_init_rsp_params > 0) && (*p_core_init_rsp_params < 4)) {
+ if (core_init_rsp_params_len >= 1 &&
+ (*p_core_init_rsp_params > 0) && (*p_core_init_rsp_params < 4)) {
static phLibNfc_Message_t msg;
uint16_t tmp_len = 0;
uint8_t uicc_set_mode[] = {0x22, 0x01, 0x02, 0x02, 0x01};
@@ -1812,7 +1815,8 @@
goto retry_core_init;
}
- if (*(p_core_init_rsp_params + 1) == 1) // RF state is Discovery!!
+ if (core_init_rsp_params_len >= 4 &&
+ *(p_core_init_rsp_params + 1) == 1) // RF state is Discovery!!
{
NXPLOG_NCIHAL_W("Sending Set Screen ON State Command as raw packet!!");
status =
@@ -1824,6 +1828,9 @@
goto retry_core_init;
}
+ if (p_core_init_rsp_params[2] > (core_init_rsp_params_len - 3)) {
+ return NFCSTATUS_FAILED;
+ }
NXPLOG_NCIHAL_W("Sending discovery as raw packet!!");
status = phNxpNciHal_send_ext_cmd(p_core_init_rsp_params[2],
(uint8_t*)&p_core_init_rsp_params[3]);
@@ -1847,7 +1854,8 @@
}
NXPLOG_NCIHAL_W("Sending last command for Recovery ");
- if (p_core_init_rsp_params[35] > 0) { // if length of last command is 0
+ if (core_init_rsp_params_len >= 40 &&
+ p_core_init_rsp_params[35] > 0) { // if length of last command is 0
// then it doesn't need to send last
// command.
if (!(((p_core_init_rsp_params[36] == 0x21) &&
@@ -1884,7 +1892,9 @@
}
p_core_init_rsp_params[35] = (uint8_t)tmp_len;
-
+ if (p_core_init_rsp_params[35] > (core_init_rsp_params_len - 36)) {
+ return NFCSTATUS_FAILED;
+ }
status = phNxpNciHal_send_ext_cmd(
p_core_init_rsp_params[35], (uint8_t*)&p_core_init_rsp_params[36]);
if (status != NFCSTATUS_SUCCESS) {
@@ -1905,13 +1915,14 @@
// initialize dummy FW recovery variables
gRecFWDwnld = 0;
gRecFwRetryCount = 0;
- if (!((*p_core_init_rsp_params > 0) && (*p_core_init_rsp_params < 4)))
+ if (core_init_rsp_params_len >= 1 &&
+ !((*p_core_init_rsp_params > 0) && (*p_core_init_rsp_params < 4)))
phNxpNciHal_core_initialized_complete(status);
else {
invoke_callback:
config_access = false;
if (nxpncihal_ctrl.p_nfc_stack_data_cback != NULL) {
- *p_core_init_rsp_params = 0;
+ if (core_init_rsp_params_len) *p_core_init_rsp_params = 0;
NXPLOG_NCIHAL_W("Invoking data callback!!");
(*nxpncihal_ctrl.p_nfc_stack_data_cback)(nxpncihal_ctrl.rx_data_len,
nxpncihal_ctrl.p_rx_data);
@@ -3199,21 +3210,36 @@
NXPLOG_NCIHAL_D("%s: response status =%s", __func__, response_buf[11]);
}
if (phNxpNciClock.isClockSet) {
- int i;
- for (i = 0; i < *p_len; i++) {
+ int i, len = sizeof(phNxpNciClock.p_rx_data);
+ if (*p_len > len) {
+ android_errorWriteLog(0x534e4554, "169257710");
+ } else {
+ len = *p_len;
+ }
+ for (i = 0; i < len; i++) {
phNxpNciClock.p_rx_data[i] = p_rx_data[i];
}
}
else if (phNxpNciRfSet.isGetRfSetting) {
- int i;
- for (i = 0; i < *p_len; i++) {
+ int i, len = sizeof(phNxpNciRfSet.p_rx_data);
+ if (*p_len > len) {
+ android_errorWriteLog(0x534e4554, "169258733");
+ } else {
+ len = *p_len;
+ }
+ for (i = 0; i < len; i++) {
phNxpNciRfSet.p_rx_data[i] = p_rx_data[i];
// NXPLOG_NCIHAL_D("%s: response status =0x%x",__func__,p_rx_data[i]);
}
} else if (phNxpNciMwEepromArea.isGetEepromArea) {
- int i;
- for (i = 8; i < *p_len; i++) {
+ int i, len = sizeof(phNxpNciMwEepromArea.p_rx_data) + 8;
+ if (*p_len > len) {
+ android_errorWriteLog(0x534e4554, "169258884");
+ } else {
+ len = *p_len;
+ }
+ for (i = 8; i < len; i++) {
phNxpNciMwEepromArea.p_rx_data[i - 8] = p_rx_data[i];
}
} else if (nxpncihal_ctrl.phNxpNciGpioInfo.state == GPIO_STORE) {
@@ -3225,7 +3251,7 @@
nxpncihal_ctrl.phNxpNciGpioInfo.values[0] = p_rx_data[9];
nxpncihal_ctrl.phNxpNciGpioInfo.values[1] = p_rx_data[8];
}
-}
+ }
if (p_rx_data[2] && (config_access == true)) {
if (p_rx_data[3] != NFCSTATUS_SUCCESS) {
diff --git a/halimpl/hal/phNxpNciHal_ext.cc b/halimpl/hal/phNxpNciHal_ext.cc
index 87230a1..be18e87 100644
--- a/halimpl/hal/phNxpNciHal_ext.cc
+++ b/halimpl/hal/phNxpNciHal_ext.cc
@@ -143,6 +143,10 @@
status = NFCSTATUS_SUCCESS;
if (bDisableLegacyMfcExtns && bEnableMfcExtns && p_ntf[0] == 0) {
+ if (*p_len < NCI_HEADER_SIZE) {
+ android_errorWriteLog(0x534e4554, "169258743");
+ return NFCSTATUS_FAILED;
+ }
uint16_t extlen;
extlen = *p_len - NCI_HEADER_SIZE;
NxpMfcReaderInstance.AnalyzeMfcResp(&p_ntf[3], &extlen);
@@ -421,24 +425,40 @@
NFCSTATUS status = NFCSTATUS_SUCCESS;
/* Parsing CORE_RESET_RSP and CORE_RESET_NTF to update NCI version.*/
- if (p_ntf == NULL || *p_len == 0x00) {
+ if (p_ntf == NULL || *p_len < 2) {
return NFCSTATUS_FAILED;
}
if (p_ntf[0] == NCI_MT_RSP &&
((p_ntf[1] & NCI_OID_MASK) == NCI_MSG_CORE_RESET)) {
+ if (*p_len < 4) {
+ android_errorWriteLog(0x534e4554, "169258455");
+ return NFCSTATUS_FAILED;
+ }
if (p_ntf[2] == 0x01 && p_ntf[3] == 0x00) {
NXPLOG_NCIHAL_D("CORE_RESET_RSP NCI2.0");
if (nxpncihal_ctrl.hal_ext_enabled == TRUE) {
nxpncihal_ctrl.nci_info.wait_for_ntf = TRUE;
}
} else if (p_ntf[2] == 0x03 && p_ntf[3] == 0x00) {
+ if (*p_len < 5) {
+ android_errorWriteLog(0x534e4554, "169258455");
+ return NFCSTATUS_FAILED;
+ }
NXPLOG_NCIHAL_D("CORE_RESET_RSP NCI1.0");
nxpncihal_ctrl.nci_info.nci_version = p_ntf[4];
}
} else if (p_ntf[0] == NCI_MT_NTF &&
((p_ntf[1] & NCI_OID_MASK) == NCI_MSG_CORE_RESET)) {
+ if (*p_len < 4) {
+ android_errorWriteLog(0x534e4554, "169258455");
+ return NFCSTATUS_FAILED;
+ }
if (p_ntf[3] == CORE_RESET_TRIGGER_TYPE_CORE_RESET_CMD_RECEIVED ||
p_ntf[3] == CORE_RESET_TRIGGER_TYPE_POWERED_ON) {
+ if (*p_len < 6) {
+ android_errorWriteLog(0x534e4554, "169258455");
+ return NFCSTATUS_FAILED;
+ }
NXPLOG_NCIHAL_D("CORE_RESET_NTF NCI2.0 reason CORE_RESET_CMD received !");
nxpncihal_ctrl.nci_info.nci_version = p_ntf[5];
NXPLOG_NCIHAL_D("nci_version : 0x%02x",nxpncihal_ctrl.nci_info.nci_version);
@@ -479,6 +499,10 @@
if(!nxpncihal_ctrl.hal_open_status) {
phNxpNciHal_configFeatureList(p_ntf,*p_len);
}
+ if (*p_len < 3) {
+ android_errorWriteLog(0x534e4554, "169258455");
+ return NFCSTATUS_FAILED;
+ }
int len = p_ntf[2] + 2; /*include 2 byte header*/
if(len != *p_len - 1) {
NXPLOG_NCIHAL_E("phNxpNciHal_ext_process_nfc_init_rsp invalid NTF length");
@@ -681,8 +705,7 @@
}
}
- if (*cmd_len <= (NCI_MAX_DATA_LEN - 3) &&
- bEnableMfcReader && p_cmd_data[0] == 0x21 && p_cmd_data[1] == 0x00) {
+ if (bEnableMfcReader && p_cmd_data[0] == 0x21 && p_cmd_data[1] == 0x00) {
NXPLOG_NCIHAL_D("Going through extns - Adding Mifare in RF Discovery");
p_cmd_data[2] += 3;
p_cmd_data[3] += 1;
@@ -794,8 +817,7 @@
phNxpNciHal_print_packet("RECV", p_rsp_data, 5);
// status = NFCSTATUS_FAILED;
NXPLOG_NCIHAL_D("> Going through workaround - Dirty Set Config - End ");
- } else if (*cmd_len <= (NCI_MAX_DATA_LEN - 3) &&
- p_cmd_data[0] == 0x21 && p_cmd_data[1] == 0x00) {
+ } else if (p_cmd_data[0] == 0x21 && p_cmd_data[1] == 0x00) {
NXPLOG_NCIHAL_D(
"> Going through workaround - Add Mifare Classic in Discovery Map");
p_cmd_data[*cmd_len] = 0x80;
diff --git a/halimpl/inc/phNxpNciHal_Adaptation.h b/halimpl/inc/phNxpNciHal_Adaptation.h
index 8f5da81..4a0a165 100644
--- a/halimpl/inc/phNxpNciHal_Adaptation.h
+++ b/halimpl/inc/phNxpNciHal_Adaptation.h
@@ -35,7 +35,7 @@
int phNxpNciHal_MinOpen();
int phNxpNciHal_write(uint16_t data_len, const uint8_t* p_data);
int phNxpNciHal_write_internal(uint16_t data_len, const uint8_t* p_data);
-int phNxpNciHal_core_initialized(uint8_t* p_core_init_rsp_params);
+int phNxpNciHal_core_initialized(uint16_t core_init_rsp_len, uint8_t* p_core_init_rsp_params);
int phNxpNciHal_pre_discover(void);
int phNxpNciHal_close(bool);
int phNxpNciHal_configDiscShutdown(void);
diff --git a/halimpl/mifare/NxpMfcReader.cc b/halimpl/mifare/NxpMfcReader.cc
index 5e4873e..de3b966 100644
--- a/halimpl/mifare/NxpMfcReader.cc
+++ b/halimpl/mifare/NxpMfcReader.cc
@@ -15,6 +15,7 @@
* limitations under the License.
*
******************************************************************************/
+#include <log/log.h>
#include "NxpMfcReader.h"
#include "phNxpNciHal.h"
#include <phNfcCompId.h>
@@ -43,6 +44,10 @@
uint16_t mfcTagCmdBuffLen = 0;
uint8_t mfcTagCmdBuff[MAX_MFC_BUFF_SIZE] = {0};
+ if (mfcDataLen > MAX_MFC_BUFF_SIZE) {
+ android_errorWriteLog(0x534e4554, "169259605");
+ mfcDataLen = MAX_MFC_BUFF_SIZE;
+ }
memcpy(mfcTagCmdBuff, pMfcData, mfcDataLen);
if (mfcDataLen >= 3)
mfcTagCmdBuffLen = mfcDataLen - NCI_HEADER_SIZE;