Merge branch 'dev/11/fp3/security-aosp-rvc-release' into int/11/fp3 * dev/11/fp3/security-aosp-rvc-release: OOBW in rw_i93_send_to_upper() Change-Id: I7aaa0f9f474582cf61a1c56d17c3cf46d3713140

commit: 08be30c5e0791c65d35b12e9fcd5f35494926492 [log] [tgz]
author: Prashantsinh Parmar <prashantsinh.parmar@fairphone.partners> Fri Jul 28 00:38:06 2023 +0530
committer: Maarten Derks <maarten@fairphone.com> Wed Aug 02 14:36:14 2023 +0200
tree: c487602b17ec0d1a066b4f06f0bea33ae308eb50
parent: bc20e3efd5e0e06382a3a512e11be2300efde89c [diff]
parent: ac1d120f59ecd204d9603fbc6ec78f6298b67d80 [diff]
diff --git a/src/nfc/tags/rw_i93.cc b/src/nfc/tags/rw_i93.cc
index 1c64ea8..cb6d96d 100644
--- a/src/nfc/tags/rw_i93.cc
+++ b/src/nfc/tags/rw_i93.cc

@@ -578,6 +578,15 @@
     case I93_CMD_GET_MULTI_BLK_SEC:
     case I93_CMD_EXT_GET_MULTI_BLK_SEC:
 
+      if (UINT16_MAX - length < NFC_HDR_SIZE) {
+        rw_data.i93_cmd_cmpl.status = NFC_STATUS_FAILED;
+        rw_data.i93_cmd_cmpl.command = p_i93->sent_cmd;
+        rw_cb.tcb.i93.sent_cmd = 0;
+
+        event = RW_I93_CMD_CMPL_EVT;
+        break;
+      }
+
       /* forward tag data or security status */
       p_buff = (NFC_HDR*)GKI_getbuf((uint16_t)(length + NFC_HDR_SIZE));
commit	08be30c5e0791c65d35b12e9fcd5f35494926492	[log] [tgz]
author	Prashantsinh Parmar <prashantsinh.parmar@fairphone.partners>	Fri Jul 28 00:38:06 2023 +0530
committer	Maarten Derks <maarten@fairphone.com>	Wed Aug 02 14:36:14 2023 +0200
tree	c487602b17ec0d1a066b4f06f0bea33ae308eb50
parent	bc20e3efd5e0e06382a3a512e11be2300efde89c [diff]
parent	ac1d120f59ecd204d9603fbc6ec78f6298b67d80 [diff]