OOBR in NxpMfcReader::SendIncDecRestoreCmdPart2
Bug: 238177877
Test: build ok
Merged-In: Idec58a09db2346bd340b33293cc5b67f2490b5ff
Change-Id: I2df1c66313a888dfb80e367dd2bfa5a9084c46e6
(cherry picked from commit 8cfb70d74d36551bf0b05416fa0e6ba066009774)
Merged-In: I2df1c66313a888dfb80e367dd2bfa5a9084c46e6
[Port to NXP: Apply to SN100x as well.]
Issue: FP3SEC-651
(cherry picked from commit 9848b80e652432bdb825008039fb0e2b4af3f6cf)
diff --git a/SN100x/halimpl/mifare/NxpMfcReader.cc b/SN100x/halimpl/mifare/NxpMfcReader.cc
index 9df48da..dad45fe 100644
--- a/SN100x/halimpl/mifare/NxpMfcReader.cc
+++ b/SN100x/halimpl/mifare/NxpMfcReader.cc
@@ -49,13 +49,13 @@
BuildMfcCmd(&mfcTagCmdBuff[3], &mfcTagCmdBuffLen);
mfcTagCmdBuff[2] = mfcTagCmdBuffLen;
- mfcDataLen = mfcTagCmdBuffLen + NCI_HEADER_SIZE;
- int writtenDataLen = phNxpNciHal_write_internal(mfcDataLen, mfcTagCmdBuff);
+ int writtenDataLen = phNxpNciHal_write_internal(
+ mfcTagCmdBuffLen + NCI_HEADER_SIZE, mfcTagCmdBuff);
/* send TAG_CMD part 2 for Mifare increment ,decrement and restore commands */
if (mfcTagCmdBuff[4] == eMifareDec || mfcTagCmdBuff[4] == eMifareInc ||
mfcTagCmdBuff[4] == eMifareRestore) {
- SendIncDecRestoreCmdPart2(pMfcData);
+ SendIncDecRestoreCmdPart2(mfcDataLen, pMfcData);
}
return writtenDataLen;
}
@@ -259,7 +259,8 @@
** Returns None
**
*******************************************************************************/
-void NxpMfcReader::SendIncDecRestoreCmdPart2(const uint8_t *mfcData) {
+void NxpMfcReader::SendIncDecRestoreCmdPart2(uint16_t mfcDataLen,
+ const uint8_t *mfcData) {
NFCSTATUS status = NFCSTATUS_SUCCESS;
/* Build TAG_CMD part 2 for Mifare increment ,decrement and restore commands*/
uint8_t incDecRestorePart2[] = {0x00, 0x00, 0x05, (uint8_t)eMfRawDataXchgHdr,
@@ -267,6 +268,10 @@
uint8_t incDecRestorePart2Size =
(sizeof(incDecRestorePart2) / sizeof(incDecRestorePart2[0]));
if (mfcData[3] == eMifareInc || mfcData[3] == eMifareDec) {
+ if (incDecRestorePart2Size >= mfcDataLen) {
+ incDecRestorePart2Size = mfcDataLen - 1;
+ android_errorWriteLog(0x534e4554, "238177877");
+ }
for (int i = 4; i < incDecRestorePart2Size; i++) {
incDecRestorePart2[i] = mfcData[i + 1];
}
diff --git a/SN100x/halimpl/mifare/NxpMfcReader.h b/SN100x/halimpl/mifare/NxpMfcReader.h
index 3b353ba..0792df5 100644
--- a/SN100x/halimpl/mifare/NxpMfcReader.h
+++ b/SN100x/halimpl/mifare/NxpMfcReader.h
@@ -109,7 +109,7 @@
void BuildIncDecCmd();
void CalcSectorAddress();
void AuthForWrite();
- void SendIncDecRestoreCmdPart2(const uint8_t *mfcData);
+ void SendIncDecRestoreCmdPart2(uint16_t mfcDataLen, const uint8_t *mfcData);
public:
int Write(uint16_t mfcDataLen, const uint8_t *pMfcData);
@@ -117,4 +117,4 @@
NFCSTATUS CheckMfcResponse(uint8_t *pTransceiveData,
uint16_t transceiveDataLen);
static NxpMfcReader &getInstance();
-};
\ No newline at end of file
+};
diff --git a/halimpl/mifare/NxpMfcReader.cc b/halimpl/mifare/NxpMfcReader.cc
index 315a803..f1ca839 100644
--- a/halimpl/mifare/NxpMfcReader.cc
+++ b/halimpl/mifare/NxpMfcReader.cc
@@ -49,13 +49,13 @@
BuildMfcCmd(&mfcTagCmdBuff[3], &mfcTagCmdBuffLen);
mfcTagCmdBuff[2] = mfcTagCmdBuffLen;
- mfcDataLen = mfcTagCmdBuffLen + NCI_HEADER_SIZE;
- int writtenDataLen = phNxpNciHal_write_internal(mfcDataLen, mfcTagCmdBuff);
+ int writtenDataLen = phNxpNciHal_write_internal(
+ mfcTagCmdBuffLen + NCI_HEADER_SIZE, mfcTagCmdBuff);
/* send TAG_CMD part 2 for Mifare increment ,decrement and restore commands */
if (mfcTagCmdBuff[4] == eMifareDec || mfcTagCmdBuff[4] == eMifareInc ||
mfcTagCmdBuff[4] == eMifareRestore) {
- SendIncDecRestoreCmdPart2(pMfcData);
+ SendIncDecRestoreCmdPart2(mfcDataLen, pMfcData);
}
return writtenDataLen;
}
@@ -259,7 +259,8 @@
** Returns None
**
*******************************************************************************/
-void NxpMfcReader::SendIncDecRestoreCmdPart2(const uint8_t *mfcData) {
+void NxpMfcReader::SendIncDecRestoreCmdPart2(uint16_t mfcDataLen,
+ const uint8_t *mfcData) {
NFCSTATUS status = NFCSTATUS_SUCCESS;
/* Build TAG_CMD part 2 for Mifare increment ,decrement and restore commands*/
uint8_t incDecRestorePart2[] = {0x00, 0x00, 0x05, (uint8_t)eMfRawDataXchgHdr,
@@ -267,6 +268,10 @@
uint8_t incDecRestorePart2Size =
(sizeof(incDecRestorePart2) / sizeof(incDecRestorePart2[0]));
if (mfcData[3] == eMifareInc || mfcData[3] == eMifareDec) {
+ if (incDecRestorePart2Size >= mfcDataLen) {
+ incDecRestorePart2Size = mfcDataLen - 1;
+ android_errorWriteLog(0x534e4554, "238177877");
+ }
for (int i = 4; i < incDecRestorePart2Size; i++) {
incDecRestorePart2[i] = mfcData[i + 1];
}
diff --git a/halimpl/mifare/NxpMfcReader.h b/halimpl/mifare/NxpMfcReader.h
index da216e1..69e6210 100644
--- a/halimpl/mifare/NxpMfcReader.h
+++ b/halimpl/mifare/NxpMfcReader.h
@@ -109,7 +109,7 @@
void BuildIncDecCmd();
void CalcSectorAddress();
void AuthForWrite();
- void SendIncDecRestoreCmdPart2(const uint8_t *mfcData);
+ void SendIncDecRestoreCmdPart2(uint16_t mfcDataLen, const uint8_t *mfcData);
public:
int Write(uint16_t mfcDataLen, const uint8_t *pMfcData);
@@ -117,4 +117,4 @@
NFCSTATUS CheckMfcResponse(uint8_t *pTransceiveData,
uint16_t transceiveDataLen);
static NxpMfcReader &getInstance();
-};
\ No newline at end of file
+};