Merge tag 'android-security-13.0.0_r8' into int/13/fp3
Android Security 13.0.0 Release 8 (10286630)
* tag 'android-security-13.0.0_r8':
OOBR in AnalyzeMfcResp in NxpMfcReader.cc
OOBR in NxpMfcReader::SendIncDecRestoreCmdPart2
Revert "OOBR in NxpMfcReader::SendIncDecRestoreCmdPart2"
OOBR in NxpMfcReader::SendIncDecRestoreCmdPart2
Revert "OOBR in NxpMfcReader::SendIncDecRestoreCmdPart2"
Change-Id: Ic93d304f6c98a15fe02584385d26e9cd3576ecaf
diff --git a/pn8x/halimpl/hal/phNxpNciHal.cc b/pn8x/halimpl/hal/phNxpNciHal.cc
index bff811c..13be835 100644
--- a/pn8x/halimpl/hal/phNxpNciHal.cc
+++ b/pn8x/halimpl/hal/phNxpNciHal.cc
@@ -1880,6 +1880,14 @@
// if the last command is deactivate to idle and RF status is also idle ,
// no need to execute the command .
{
+ if (p_core_init_rsp_params[35] > (core_init_rsp_params_len - 36)) {
+ if (buffer) {
+ free(buffer);
+ buffer = NULL;
+ }
+ android_errorWriteLog(0x534e4554, "231445184");
+ return NFCSTATUS_FAILED;
+ }
tmp_len = p_core_init_rsp_params[35];
/* Check for NXP ext before sending write */
@@ -2600,6 +2608,10 @@
}
switch (arg) {
case HAL_NFC_IOCTL_SPI_DWP_SYNC: {
+ if (pInpOutData->inp.data.nciCmd.cmd_len > MAX_IOCTL_TRANSCEIVE_CMD_LEN) {
+ android_errorWriteLog(0x534e4554, "238083126");
+ return -1;
+ }
ret = phNxpNciHal_send_ese_hal_cmd(pInpOutData->inp.data.nciCmd.cmd_len,
pInpOutData->inp.data.nciCmd.p_cmd);
pInpOutData->out.data.nciRsp.rsp_len = nxpncihal_ctrl.rx_ese_data_len;