commit e30d6ec9e8a7680c0c41a19806991f3bbcc045fe
author Karsten Tausche <karsten@fairphone.com> Fri May 14 12:10:00 2021 +0200
committer Karsten Tausche <karsten@fairphone.com> Fri May 14 12:10:00 2021 +0200
tree ff9b4bdca42fcefbe016c39d932a30a1b711df51
parent 846a5d15ddcfb056d2fe4aaacf3b6c8d60e2215a
parent d94c157efa7874bb33ca51b594307a892692df90

Merge the 2021-06-05 SPL branch from AOSP-Partner

* security-aosp-pi-release:
  Memory Disclosure, OOB Write, and Double Free in NFC T3T tag

Change-Id: Ib14a0038f89572e23d6393e2de044ff6e7ad2cb7

src/nfc/include/rw_int.h

diff --git a/src/nfc/include/rw_int.h b/src/nfc/include/rw_int.h
index b6e1dc5..cf6440b 100644
--- a/src/nfc/include/rw_int.h
+++ b/src/nfc/include/rw_int.h
@@ -494,6 +494,8 @@
 #define RW_T3T_FL_W4_FMT_FELICA_LITE_POLL_RSP 0x10
 /* Waiting for POLL response for RW_T3tSetReadOnly */
 #define RW_T3T_FL_W4_SRO_FELICA_LITE_POLL_RSP 0x20
+/* Waiting for POLL response for RW_T3tPoll */
+#define RW_T3T_FL_W4_USER_POLL_RSP 0x40
 
 typedef struct {
   uint32_t cur_tout; /* Current command timeout */

src/nfc/tags/rw_t3t.cc

diff --git a/src/nfc/tags/rw_t3t.cc b/src/nfc/tags/rw_t3t.cc
index ea88fc9..cb820e2 100644
--- a/src/nfc/tags/rw_t3t.cc
+++ b/src/nfc/tags/rw_t3t.cc
@@ -249,6 +249,14 @@
       /* For GetSystemCode: tag did not respond to requested POLL */
       rw_t3t_handle_get_system_codes_cplt();
       return;
+    } else if ((p_cb->flags & (RW_T3T_FL_W4_PRESENCE_CHECK_POLL_RSP |
+                               RW_T3T_FL_W4_GET_SC_POLL_RSP |
+                               RW_T3T_FL_W4_FMT_FELICA_LITE_POLL_RSP |
+                               RW_T3T_FL_W4_SRO_FELICA_LITE_POLL_RSP |
+                               RW_T3T_FL_W4_NDEF_DETECT_POLL_RSP |
+                               RW_T3T_FL_W4_USER_POLL_RSP))) {
+      /* Tag did not respond correctly to requested POLL */
+      return;
     }
     /* Retry sending command if retry-count < max */
     else if (rw_cb.cur_retry < RW_MAX_RETRIES) {
@@ -272,8 +280,7 @@
                                 p_cb->cur_tout);
           return;
         } else {
-          /* failure - could not send buffer */
-          GKI_freebuf(p_cmd_buf);
+          android_errorWriteLog(0x534e4554, "179687208");
         }
       }
     } else {
@@ -366,6 +373,7 @@
     rw_t3t_handle_ndef_detect_poll_rsp(p_cb, nci_status, num_responses);
   } else {
     /* Handle POLL ntf in response to RW_T3tPoll */
+    p_cb->flags &= ~RW_T3T_FL_W4_USER_POLL_RSP;
     evt_data.t3t_poll.status = nci_status;
     if (evt_data.t3t_poll.status == NCI_STATUS_OK) {
       evt_data.t3t_poll.rc = p_cb->cur_poll_rc;
@@ -2799,6 +2807,7 @@
     /* start timer for waiting for responses */
     p_cb->cur_poll_rc = rc;
     p_cb->rw_state = RW_T3T_STATE_COMMAND_PENDING;
+    p_cb->flags |= RW_T3T_FL_W4_USER_POLL_RSP;
     rw_t3t_start_poll_timer(p_cb);
   }