Prevent OOB read in phNxpNciHal_ext_process_nfc_init_rsp

Bug: 121263487
Test: Enable/Disable, R/W Tag, HCE
Change-Id: Ia00dfb0b32fd5b38d6a8140f5f5974e4afa62b8b

1 files changed, 10 insertions, 0 deletions

diff --git a/halimpl/hal/phNxpNciHal_ext.cc b/halimpl/hal/phNxpNciHal_ext.cc
index 38018be..ba2c452 100755
--- a/halimpl/hal/phNxpNciHal_ext.cc
+++ b/halimpl/hal/phNxpNciHal_ext.cc
@@ -428,6 +428,11 @@ static NFCSTATUS phNxpNciHal_ext_process_nfc_init_rsp(uint8_t* p_ntf,
         phNxpNciHal_configFeatureList(p_ntf,*p_len);
       }
       int len = p_ntf[2] + 2; /*include 2 byte header*/
+      if(len != *p_len - 1) {
+        NXPLOG_NCIHAL_E("phNxpNciHal_ext_process_nfc_init_rsp invalid NTF length");
+        android_errorWriteLog(0x534e4554, "121263487");
+        return NFCSTATUS_FAILED;
+      }
       wFwVerRsp = (((uint32_t)p_ntf[len - 2]) << 16U) |
                   (((uint32_t)p_ntf[len - 1]) << 8U) | p_ntf[len];
       NXPLOG_NCIHAL_D("NxpNci> FW Version: %x.%x.%x", p_ntf[len - 2],
@@ -457,6 +462,11 @@ static NFCSTATUS phNxpNciHal_ext_process_nfc_init_rsp(uint8_t* p_ntf,
         phNxpNciHal_configFeatureList(p_ntf,*p_len);
       }
       int len = p_ntf[2] + 2; /*include 2 byte header*/
+      if(len != *p_len - 1) {
+        NXPLOG_NCIHAL_E("phNxpNciHal_ext_process_nfc_init_rsp invalid NTF length");
+        android_errorWriteLog(0x534e4554, "121263487");
+        return NFCSTATUS_FAILED;
+      }
       wFwVerRsp = (((uint32_t)p_ntf[len - 2]) << 16U) |
                   (((uint32_t)p_ntf[len - 1]) << 8U) | p_ntf[len];
       if (wFwVerRsp == 0) status = NFCSTATUS_FAILED;