diff options
-rw-r--r-- | pn8x/halimpl/hal/phNxpNciHal.cc | 27 | ||||
-rw-r--r-- | pn8x/halimpl/hal/phNxpNciHal_ext.cc | 26 |
2 files changed, 46 insertions, 7 deletions
diff --git a/pn8x/halimpl/hal/phNxpNciHal.cc b/pn8x/halimpl/hal/phNxpNciHal.cc index 3a23e77..37b0aa3 100644 --- a/pn8x/halimpl/hal/phNxpNciHal.cc +++ b/pn8x/halimpl/hal/phNxpNciHal.cc @@ -3230,21 +3230,36 @@ static void phNxpNciHal_print_res_status(uint8_t* p_rx_data, uint16_t* p_len) { NXPLOG_NCIHAL_D("%s: response status =%s", __func__, response_buf[11]); } if (phNxpNciClock.isClockSet) { - int i; - for (i = 0; i < *p_len; i++) { + int i, len = sizeof(phNxpNciClock.p_rx_data); + if (*p_len > len) { + android_errorWriteLog(0x534e4554, "169257710"); + } else { + len = *p_len; + } + for (i = 0; i < len; i++) { phNxpNciClock.p_rx_data[i] = p_rx_data[i]; } } else if (phNxpNciRfSet.isGetRfSetting) { - int i; - for (i = 0; i < *p_len; i++) { + int i, len = sizeof(phNxpNciRfSet.p_rx_data); + if (*p_len > len) { + android_errorWriteLog(0x534e4554, "169258733"); + } else { + len = *p_len; + } + for (i = 0; i < len; i++) { phNxpNciRfSet.p_rx_data[i] = p_rx_data[i]; // NXPLOG_NCIHAL_D("%s: response status =0x%x",__func__,p_rx_data[i]); } } else if (phNxpNciMwEepromArea.isGetEepromArea) { - int i; - for (i = 8; i < *p_len; i++) { + int i, len = sizeof(phNxpNciMwEepromArea.p_rx_data) + 8; + if (*p_len > len) { + android_errorWriteLog(0x534e4554, "169258884"); + } else { + len = *p_len; + } + for (i = 8; i < len; i++) { phNxpNciMwEepromArea.p_rx_data[i - 8] = p_rx_data[i]; } } else if (nxpncihal_ctrl.phNxpNciGpioInfo.state == GPIO_STORE) { diff --git a/pn8x/halimpl/hal/phNxpNciHal_ext.cc b/pn8x/halimpl/hal/phNxpNciHal_ext.cc index 38548b3..3feaa01 100644 --- a/pn8x/halimpl/hal/phNxpNciHal_ext.cc +++ b/pn8x/halimpl/hal/phNxpNciHal_ext.cc @@ -143,6 +143,10 @@ NFCSTATUS phNxpNciHal_process_ext_rsp(uint8_t* p_ntf, uint16_t* p_len) { status = NFCSTATUS_SUCCESS; if (bDisableLegacyMfcExtns && bEnableMfcExtns && p_ntf[0] == 0) { + if (*p_len < NCI_HEADER_SIZE) { + android_errorWriteLog(0x534e4554, "169258743"); + return NFCSTATUS_FAILED; + } uint16_t extlen; extlen = *p_len - NCI_HEADER_SIZE; NxpMfcReaderInstance.AnalyzeMfcResp(&p_ntf[3], &extlen); @@ -415,24 +419,40 @@ static NFCSTATUS phNxpNciHal_ext_process_nfc_init_rsp(uint8_t* p_ntf, NFCSTATUS status = NFCSTATUS_SUCCESS; /* Parsing CORE_RESET_RSP and CORE_RESET_NTF to update NCI version.*/ - if (p_ntf == NULL || *p_len == 0x00) { + if (p_ntf == NULL || *p_len < 2) { return NFCSTATUS_FAILED; } if (p_ntf[0] == NCI_MT_RSP && ((p_ntf[1] & NCI_OID_MASK) == NCI_MSG_CORE_RESET)) { + if (*p_len < 4) { + android_errorWriteLog(0x534e4554, "169258455"); + return NFCSTATUS_FAILED; + } if (p_ntf[2] == 0x01 && p_ntf[3] == 0x00) { NXPLOG_NCIHAL_D("CORE_RESET_RSP NCI2.0"); if (nxpncihal_ctrl.hal_ext_enabled == TRUE) { nxpncihal_ctrl.nci_info.wait_for_ntf = TRUE; } } else if (p_ntf[2] == 0x03 && p_ntf[3] == 0x00) { + if (*p_len < 5) { + android_errorWriteLog(0x534e4554, "169258455"); + return NFCSTATUS_FAILED; + } NXPLOG_NCIHAL_D("CORE_RESET_RSP NCI1.0"); nxpncihal_ctrl.nci_info.nci_version = p_ntf[4]; } } else if (p_ntf[0] == NCI_MT_NTF && ((p_ntf[1] & NCI_OID_MASK) == NCI_MSG_CORE_RESET)) { + if (*p_len < 4) { + android_errorWriteLog(0x534e4554, "169258455"); + return NFCSTATUS_FAILED; + } if (p_ntf[3] == CORE_RESET_TRIGGER_TYPE_CORE_RESET_CMD_RECEIVED || p_ntf[3] == CORE_RESET_TRIGGER_TYPE_POWERED_ON) { + if (*p_len < 6) { + android_errorWriteLog(0x534e4554, "169258455"); + return NFCSTATUS_FAILED; + } NXPLOG_NCIHAL_D("CORE_RESET_NTF NCI2.0 reason CORE_RESET_CMD received !"); nxpncihal_ctrl.nci_info.nci_version = p_ntf[5]; NXPLOG_NCIHAL_D("nci_version : 0x%02x", @@ -475,6 +495,10 @@ static NFCSTATUS phNxpNciHal_ext_process_nfc_init_rsp(uint8_t* p_ntf, if (!nxpncihal_ctrl.hal_open_status) { phNxpNciHal_configFeatureList(p_ntf, *p_len); } + if (*p_len < 3) { + android_errorWriteLog(0x534e4554, "169258455"); + return NFCSTATUS_FAILED; + } int len = p_ntf[2] + 2; /*include 2 byte header*/ if (len != *p_len - 1) { NXPLOG_NCIHAL_E( |