Merge branch 'security-aosp-rvc-release' into int/11/fp3
* security-aosp-rvc-release:
OOBR in nfc_ncif_proc_ee_discover_req()
Double Free in ce_t4t_data_cback
Out of Bounds Read in nfa_dm_check_set_config
Change-Id: I9789e6108d2cb27b8d8f8ce535a39d29df178449
diff --git a/src/nfa/dm/nfa_dm_main.cc b/src/nfa/dm/nfa_dm_main.cc
index fe03a5b..18ca93c 100644
--- a/src/nfa/dm/nfa_dm_main.cc
+++ b/src/nfa/dm/nfa_dm_main.cc
@@ -25,6 +25,7 @@
#include <android-base/stringprintf.h>
#include <base/logging.h>
+#include <log/log.h>
#include "nfa_api.h"
#include "nfa_dm_int.h"
@@ -236,6 +237,12 @@
len = *(p_tlv_list + xx + 1);
p_value = p_tlv_list + xx + 2;
p_cur_len = nullptr;
+ if (len > (tlv_list_len - xx - 2)) {
+ LOG(ERROR) << StringPrintf("error: invalid TLV length: t:0x%x, l:%d",
+ type, len);
+ android_errorWriteLog(0x534e4554, "221216105");
+ return NFA_STATUS_FAILED;
+ }
switch (type) {
/*
diff --git a/src/nfc/nfc/nfc_ncif.cc b/src/nfc/nfc/nfc_ncif.cc
index 3bde5bb..e470386 100644
--- a/src/nfc/nfc/nfc_ncif.cc
+++ b/src/nfc/nfc/nfc_ncif.cc
@@ -1511,6 +1511,11 @@
DLOG_IF(INFO, nfc_debug_enabled)
<< StringPrintf("nfc_ncif_proc_ee_discover_req %d len:%d", *p, plen);
+ if (!plen) {
+ android_errorWriteLog(0x534e4554, "221856662");
+ return;
+ }
+
if (*p > NFC_MAX_EE_DISC_ENTRIES) {
android_errorWriteLog(0x534e4554, "122361874");
LOG(ERROR) << __func__ << "Exceed NFC_MAX_EE_DISC_ENTRIES";
diff --git a/src/nfc/tags/ce_t4t.cc b/src/nfc/tags/ce_t4t.cc
index 99baf75..a4196a2 100644
--- a/src/nfc/tags/ce_t4t.cc
+++ b/src/nfc/tags/ce_t4t.cc
@@ -633,6 +633,7 @@
} else {
GKI_freebuf(p_c_apdu);
ce_t4t_send_status(T4T_RSP_NOT_FOUND);
+ return;
}
} else if (ce_cb.mem.t4t.status & CE_T4T_STATUS_WILDCARD_AID_SELECTED) {
DLOG_IF(INFO, nfc_debug_enabled)