diff options
| author | android-build-team Robot <android-build-team-robot@google.com> | 2021-06-09 20:40:37 +0000 |
|---|---|---|
| committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2021-06-09 20:40:37 +0000 |
| commit | a5b73f8aeeb9c4473602ad7e137f64585f191b9f (patch) | |
| tree | 1f168a6958f2f14e6b392b0f97e1ed7e9fafa913 | |
| parent | b181ecc2f1e21041bc599eed986207239c295269 (diff) | |
| parent | a9e45d9b1b3e9ba8f44a8ee179f64f7547a24fb4 (diff) | |
| download | platform_hardware_nxp_nfc-android11-gsi.tar.gz platform_hardware_nxp_nfc-android11-gsi.tar.bz2 platform_hardware_nxp_nfc-android11-gsi.zip | |
Snap for 7316203 from 2ae2eb3d9d6dec66e43723f6aa80f9763cf33169 to rvc-platform-release am: a9e45d9b1bandroid11-gsi
Original change: https://googleplex-android-review.googlesource.com/c/platform/hardware/nxp/nfc/+/14427475
Change-Id: I6f39e3cca6ff238bc8d7b55d952a31dc83f1e1dc
| -rw-r--r-- | halimpl/hal/phNxpNciHal.cc | 29 | ||||
| -rw-r--r-- | halimpl/hal/phNxpNciHal_ext.cc | 26 |
2 files changed, 47 insertions, 8 deletions
diff --git a/halimpl/hal/phNxpNciHal.cc b/halimpl/hal/phNxpNciHal.cc index 6b4b748..f1a9594 100644 --- a/halimpl/hal/phNxpNciHal.cc +++ b/halimpl/hal/phNxpNciHal.cc @@ -3210,21 +3210,36 @@ static void phNxpNciHal_print_res_status(uint8_t* p_rx_data, uint16_t* p_len) { NXPLOG_NCIHAL_D("%s: response status =%s", __func__, response_buf[11]); } if (phNxpNciClock.isClockSet) { - int i; - for (i = 0; i < *p_len; i++) { + int i, len = sizeof(phNxpNciClock.p_rx_data); + if (*p_len > len) { + android_errorWriteLog(0x534e4554, "169257710"); + } else { + len = *p_len; + } + for (i = 0; i < len; i++) { phNxpNciClock.p_rx_data[i] = p_rx_data[i]; } } else if (phNxpNciRfSet.isGetRfSetting) { - int i; - for (i = 0; i < *p_len; i++) { + int i, len = sizeof(phNxpNciRfSet.p_rx_data); + if (*p_len > len) { + android_errorWriteLog(0x534e4554, "169258733"); + } else { + len = *p_len; + } + for (i = 0; i < len; i++) { phNxpNciRfSet.p_rx_data[i] = p_rx_data[i]; // NXPLOG_NCIHAL_D("%s: response status =0x%x",__func__,p_rx_data[i]); } } else if (phNxpNciMwEepromArea.isGetEepromArea) { - int i; - for (i = 8; i < *p_len; i++) { + int i, len = sizeof(phNxpNciMwEepromArea.p_rx_data) + 8; + if (*p_len > len) { + android_errorWriteLog(0x534e4554, "169258884"); + } else { + len = *p_len; + } + for (i = 8; i < len; i++) { phNxpNciMwEepromArea.p_rx_data[i - 8] = p_rx_data[i]; } } else if (nxpncihal_ctrl.phNxpNciGpioInfo.state == GPIO_STORE) { @@ -3236,7 +3251,7 @@ static void phNxpNciHal_print_res_status(uint8_t* p_rx_data, uint16_t* p_len) { nxpncihal_ctrl.phNxpNciGpioInfo.values[0] = p_rx_data[9]; nxpncihal_ctrl.phNxpNciGpioInfo.values[1] = p_rx_data[8]; } -} + } if (p_rx_data[2] && (config_access == true)) { if (p_rx_data[3] != NFCSTATUS_SUCCESS) { diff --git a/halimpl/hal/phNxpNciHal_ext.cc b/halimpl/hal/phNxpNciHal_ext.cc index 6e10773..805aea6 100644 --- a/halimpl/hal/phNxpNciHal_ext.cc +++ b/halimpl/hal/phNxpNciHal_ext.cc @@ -143,6 +143,10 @@ NFCSTATUS phNxpNciHal_process_ext_rsp(uint8_t* p_ntf, uint16_t* p_len) { status = NFCSTATUS_SUCCESS; if (bDisableLegacyMfcExtns && bEnableMfcExtns && p_ntf[0] == 0) { + if (*p_len < NCI_HEADER_SIZE) { + android_errorWriteLog(0x534e4554, "169258743"); + return NFCSTATUS_FAILED; + } uint16_t extlen; extlen = *p_len - NCI_HEADER_SIZE; NxpMfcReaderInstance.AnalyzeMfcResp(&p_ntf[3], &extlen); @@ -416,24 +420,40 @@ static NFCSTATUS phNxpNciHal_ext_process_nfc_init_rsp(uint8_t* p_ntf, NFCSTATUS status = NFCSTATUS_SUCCESS; /* Parsing CORE_RESET_RSP and CORE_RESET_NTF to update NCI version.*/ - if (p_ntf == NULL || *p_len == 0x00) { + if (p_ntf == NULL || *p_len < 2) { return NFCSTATUS_FAILED; } if (p_ntf[0] == NCI_MT_RSP && ((p_ntf[1] & NCI_OID_MASK) == NCI_MSG_CORE_RESET)) { + if (*p_len < 4) { + android_errorWriteLog(0x534e4554, "169258455"); + return NFCSTATUS_FAILED; + } if (p_ntf[2] == 0x01 && p_ntf[3] == 0x00) { NXPLOG_NCIHAL_D("CORE_RESET_RSP NCI2.0"); if (nxpncihal_ctrl.hal_ext_enabled == TRUE) { nxpncihal_ctrl.nci_info.wait_for_ntf = TRUE; } } else if (p_ntf[2] == 0x03 && p_ntf[3] == 0x00) { + if (*p_len < 5) { + android_errorWriteLog(0x534e4554, "169258455"); + return NFCSTATUS_FAILED; + } NXPLOG_NCIHAL_D("CORE_RESET_RSP NCI1.0"); nxpncihal_ctrl.nci_info.nci_version = p_ntf[4]; } } else if (p_ntf[0] == NCI_MT_NTF && ((p_ntf[1] & NCI_OID_MASK) == NCI_MSG_CORE_RESET)) { + if (*p_len < 4) { + android_errorWriteLog(0x534e4554, "169258455"); + return NFCSTATUS_FAILED; + } if (p_ntf[3] == CORE_RESET_TRIGGER_TYPE_CORE_RESET_CMD_RECEIVED || p_ntf[3] == CORE_RESET_TRIGGER_TYPE_POWERED_ON) { + if (*p_len < 6) { + android_errorWriteLog(0x534e4554, "169258455"); + return NFCSTATUS_FAILED; + } NXPLOG_NCIHAL_D("CORE_RESET_NTF NCI2.0 reason CORE_RESET_CMD received !"); nxpncihal_ctrl.nci_info.nci_version = p_ntf[5]; NXPLOG_NCIHAL_D("nci_version : 0x%02x",nxpncihal_ctrl.nci_info.nci_version); @@ -474,6 +494,10 @@ static NFCSTATUS phNxpNciHal_ext_process_nfc_init_rsp(uint8_t* p_ntf, if(!nxpncihal_ctrl.hal_open_status) { phNxpNciHal_configFeatureList(p_ntf,*p_len); } + if (*p_len < 3) { + android_errorWriteLog(0x534e4554, "169258455"); + return NFCSTATUS_FAILED; + } int len = p_ntf[2] + 2; /*include 2 byte header*/ if(len != *p_len - 1) { NXPLOG_NCIHAL_E("phNxpNciHal_ext_process_nfc_init_rsp invalid NTF length"); |