diff options
| author | Alisher Alikhodjaev <alisher@google.com> | 2020-10-20 17:52:53 -0700 |
|---|---|---|
| committer | alk3pInjection <webmaster@raspii.tech> | 2022-03-05 01:55:03 +0800 |
| commit | a6e9b182b7dfe75cdb1640c03c6da46eaae996ef (patch) | |
| tree | 9846f3ea02af0d4b92b22ed12246cf282afc013e | |
| parent | fb114552d05b63dafad766a296d10affd6835997 (diff) | |
An info leak vuln caused by OOB read of nxp nfc hal library
Bug: 169258455
Test: build ok
Change-Id: I8e296f3ae38ee829d87c0052b5753e2f93bd0dd4
| -rw-r--r-- | halimpl/hal/phNxpNciHal_ext.cc | 22 |
1 files changed, 21 insertions, 1 deletions
diff --git a/halimpl/hal/phNxpNciHal_ext.cc b/halimpl/hal/phNxpNciHal_ext.cc index 3515234..d08ca3d 100644 --- a/halimpl/hal/phNxpNciHal_ext.cc +++ b/halimpl/hal/phNxpNciHal_ext.cc @@ -407,6 +407,10 @@ if(nfcFL.nfccFL._NFCC_FORCE_NCI1_0_INIT == true) { } else if (p_ntf[0] == 0x60 && p_ntf[1] == 0x00 && p_ntf[2] == 0x09 && p_ntf[3] == 0x02 && nxpncihal_ctrl.is_wait_for_ce_ntf) { NXPLOG_NCIHAL_D("CORE_RESET_NTF 2 reason Command received !"); + if (*p_len < 3) { + android_errorWriteLog(0x534e4554, "169258455"); + return NFCSTATUS_FAILED; + } int len = p_ntf[2] + 2; /*include 2 byte header*/ if(len != *p_len - 1) { NXPLOG_NCIHAL_E("phNxpNciHal_ext_process_nfc_init_rsp invalid NTF length"); @@ -539,21 +543,37 @@ static NFCSTATUS phNxpNciHal_ext_process_nfc_init_rsp(uint8_t* p_ntf, uint16_t* NFCSTATUS status = NFCSTATUS_SUCCESS; /* Parsing CORE_RESET_RSP and CORE_RESET_NTF to update NCI version.*/ - if(p_ntf == NULL || *p_len == 0x00) { + if(p_ntf == NULL || *p_len < 2) { return NFCSTATUS_FAILED; } if (p_ntf[0] == NCI_MT_RSP && ((p_ntf[1] & NCI_OID_MASK) == NCI_MSG_CORE_RESET)) { + if (*p_len < 4) { + android_errorWriteLog(0x534e4554, "169258455"); + return NFCSTATUS_FAILED; + } if (p_ntf[2] == 0x01 && p_ntf[3] == 0x00) { NXPLOG_NCIHAL_D("CORE_RESET_RSP NCI2.0"); if(nxpncihal_ctrl.hal_ext_enabled == TRUE) { nxpncihal_ctrl.nci_info.wait_for_ntf = TRUE; } } else if (p_ntf[2] == 0x03 && p_ntf[3] == 0x00) { + if (*p_len < 5) { + android_errorWriteLog(0x534e4554, "169258455"); + return NFCSTATUS_FAILED; + } NXPLOG_NCIHAL_D("CORE_RESET_RSP NCI1.0"); nxpncihal_ctrl.nci_info.nci_version = p_ntf[4]; } } else if (p_ntf[0] == NCI_MT_NTF && ((p_ntf[1] & NCI_OID_MASK) == NCI_MSG_CORE_RESET)) { + if (*p_len < 4) { + android_errorWriteLog(0x534e4554, "169258455"); + return NFCSTATUS_FAILED; + } if(p_ntf[3] == CORE_RESET_TRIGGER_TYPE_CORE_RESET_CMD_RECEIVED ) { + if (*p_len < 6) { + android_errorWriteLog(0x534e4554, "169258455"); + return NFCSTATUS_FAILED; + } NXPLOG_NCIHAL_D("CORE_RESET_NTF NCI2.0 reason CORE_RESET_CMD received !"); nxpncihal_ctrl.nci_info.nci_version = p_ntf[5]; phNxpNciHal_configFeatureList(p_ntf,*p_len); |