diff options
| author | Alisher Alikhodjaev <alisher@google.com> | 2020-10-20 18:56:50 -0700 |
|---|---|---|
| committer | Alisher Alikhodjaev <alisher@google.com> | 2020-10-20 18:56:50 -0700 |
| commit | 491a4f0f42f1a922e0096df592ea4e19f1dfb24f (patch) | |
| tree | 8ae2b09efa72e33c71d34f50223b880c634d76d5 | |
| parent | b3a413395fc017be496a9a25057079d63a24ba1c (diff) | |
| download | platform_hardware_nxp_nfc-491a4f0f42f1a922e0096df592ea4e19f1dfb24f.tar.gz platform_hardware_nxp_nfc-491a4f0f42f1a922e0096df592ea4e19f1dfb24f.tar.bz2 platform_hardware_nxp_nfc-491a4f0f42f1a922e0096df592ea4e19f1dfb24f.zip | |
Multiple vulnerabilities in phNxpNciHal_print_res_status
Bug: 169258884
Bug: 169258733
Bug: 169257710
Test: build ok
Change-Id: Icccbe6c781847d5495cc09e9fd72bd5a39011e73
| -rw-r--r-- | halimpl/hal/phNxpNciHal.cc | 29 |
1 files changed, 22 insertions, 7 deletions
diff --git a/halimpl/hal/phNxpNciHal.cc b/halimpl/hal/phNxpNciHal.cc index 6b4b748..f1a9594 100644 --- a/halimpl/hal/phNxpNciHal.cc +++ b/halimpl/hal/phNxpNciHal.cc @@ -3210,21 +3210,36 @@ static void phNxpNciHal_print_res_status(uint8_t* p_rx_data, uint16_t* p_len) { NXPLOG_NCIHAL_D("%s: response status =%s", __func__, response_buf[11]); } if (phNxpNciClock.isClockSet) { - int i; - for (i = 0; i < *p_len; i++) { + int i, len = sizeof(phNxpNciClock.p_rx_data); + if (*p_len > len) { + android_errorWriteLog(0x534e4554, "169257710"); + } else { + len = *p_len; + } + for (i = 0; i < len; i++) { phNxpNciClock.p_rx_data[i] = p_rx_data[i]; } } else if (phNxpNciRfSet.isGetRfSetting) { - int i; - for (i = 0; i < *p_len; i++) { + int i, len = sizeof(phNxpNciRfSet.p_rx_data); + if (*p_len > len) { + android_errorWriteLog(0x534e4554, "169258733"); + } else { + len = *p_len; + } + for (i = 0; i < len; i++) { phNxpNciRfSet.p_rx_data[i] = p_rx_data[i]; // NXPLOG_NCIHAL_D("%s: response status =0x%x",__func__,p_rx_data[i]); } } else if (phNxpNciMwEepromArea.isGetEepromArea) { - int i; - for (i = 8; i < *p_len; i++) { + int i, len = sizeof(phNxpNciMwEepromArea.p_rx_data) + 8; + if (*p_len > len) { + android_errorWriteLog(0x534e4554, "169258884"); + } else { + len = *p_len; + } + for (i = 8; i < len; i++) { phNxpNciMwEepromArea.p_rx_data[i - 8] = p_rx_data[i]; } } else if (nxpncihal_ctrl.phNxpNciGpioInfo.state == GPIO_STORE) { @@ -3236,7 +3251,7 @@ static void phNxpNciHal_print_res_status(uint8_t* p_rx_data, uint16_t* p_len) { nxpncihal_ctrl.phNxpNciGpioInfo.values[0] = p_rx_data[9]; nxpncihal_ctrl.phNxpNciGpioInfo.values[1] = p_rx_data[8]; } -} + } if (p_rx_data[2] && (config_access == true)) { if (p_rx_data[3] != NFCSTATUS_SUCCESS) { |