A stack OOB write vuln of nxp nfc hal library

Bug: 169259605 Test: build ok Change-Id: I5b99093abdee065eed161f3cda41847a35b13e6a
author: Alisher Alikhodjaev <alisher@google.com> 2020-10-20 17:20:38 -0700
committer: alk3pInjection <webmaster@raspii.tech> 2022-03-05 01:55:03 +0800
commit: 3f241426aaa0b3d21fbca568c8702d5505616df1 (patch)
tree: aa842668487cf26bb15d08cd729b99d8d05bf7e9
parent: 5e9491093890e98925e8432447708c230fffaf52 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/halimpl/mifare/NxpMfcReader.cc b/halimpl/mifare/NxpMfcReader.cc
index 315a803..17d9ed7 100644
--- a/halimpl/mifare/NxpMfcReader.cc
+++ b/halimpl/mifare/NxpMfcReader.cc
@@ -15,6 +15,7 @@
  *  limitations under the License.
  *
  ******************************************************************************/
+#include <log/log.h>
 #include "NxpMfcReader.h"
 #include "phNxpNciHal.h"
 #include <phNfcCompId.h>
@@ -43,6 +44,10 @@ int NxpMfcReader::Write(uint16_t mfcDataLen, const uint8_t *pMfcData) {
   uint16_t mfcTagCmdBuffLen = 0;
   uint8_t mfcTagCmdBuff[MAX_MFC_BUFF_SIZE] = {0};
 
+  if (mfcDataLen > MAX_MFC_BUFF_SIZE) {
+    android_errorWriteLog(0x534e4554, "169259605");
+    mfcDataLen = MAX_MFC_BUFF_SIZE;
+  }
   memcpy(mfcTagCmdBuff, pMfcData, mfcDataLen);
   if (mfcDataLen >= 3)
     mfcTagCmdBuffLen = mfcDataLen - NCI_HEADER_SIZE;
author	Alisher Alikhodjaev <alisher@google.com>	2020-10-20 17:20:38 -0700
committer	alk3pInjection <webmaster@raspii.tech>	2022-03-05 01:55:03 +0800
commit	3f241426aaa0b3d21fbca568c8702d5505616df1 (patch)
tree	aa842668487cf26bb15d08cd729b99d8d05bf7e9
parent	5e9491093890e98925e8432447708c230fffaf52 (diff)