Merge tag 'android-10.0.0_r37' into staging/lineage-17.1_merge-android-10.0.0_r37HEADlineage-17.1

Android 10.0.0 Release 37 (QQ3A.200605.001)

* tag 'android-10.0.0_r37':
  Prevent OOB write in phNxpNciHal_write_ext
  Prevent OOBR in NxpNfc::ioctl
  Prevent potential OOB in phNxpNciHal_NfcDep_cmd_ext
  Prevent OOB write in phNxpNciHal_send_ese_hal_cmd

Change-Id: I4de6690719bb0ee3ddd3ae34c37c1d9a061a556c

2 files changed, 16 insertions, 3 deletions

diff --git a/halimpl/hal/phNxpNciHal_NfcDepSWPrio.cc b/halimpl/hal/phNxpNciHal_NfcDepSWPrio.cc
index 6e0c6e6..19c5c01 100755
--- a/halimpl/hal/phNxpNciHal_NfcDepSWPrio.cc
+++ b/halimpl/hal/phNxpNciHal_NfcDepSWPrio.cc
@@ -23,6 +23,8 @@
 #define CLEAN_UP_TIMEOUT 250
 #define MAX_WRITE_RETRY 5
 
+#define MAX_POLL_CMD_LEN 64
+#define NCI_HEADER_SIZE 3
 /******************* Global variables *****************************************/
 extern phNxpNciHal_Control_t nxpncihal_ctrl;
 extern NFCSTATUS phNxpNciHal_send_ext_cmd(uint16_t cmd_len, uint8_t* p_cmd);
@@ -33,7 +35,7 @@ static uint8_t cmd_resume_rf_discovery[] = {0x21, 0x06, 0x01,
 /*RF_DISCOVER_SELECT_CMD*/
 static uint8_t cmd_select_rf_discovery[] = {0x21, 0x04, 0x03, 0x01, 0x04, 0x02};
 
-static uint8_t cmd_poll[64];
+static uint8_t cmd_poll[MAX_POLL_CMD_LEN];
 static uint8_t cmd_poll_len = 0;
 int discover_type = 0xFF;
 uint32_t cleanup_timer;
@@ -509,11 +511,16 @@ NFCSTATUS phNxpNciHal_select_RF_Discovery(unsigned int RfID,
 **
 *******************************************************************************/
 void phNxpNciHal_NfcDep_cmd_ext(uint8_t* p_cmd_data, uint16_t* cmd_len) {
+  if (*cmd_len < NCI_HEADER_SIZE) return;
   if (p_cmd_data[0] == 0x21 && p_cmd_data[1] == 0x03) {
     if (*cmd_len == 6 && p_cmd_data[3] == 0x01 && p_cmd_data[4] == 0x02 &&
         p_cmd_data[5] == 0x01) {
       /* DO NOTHING */
     } else {
+      if (*cmd_len > MAX_POLL_CMD_LEN) {
+        NXPLOG_NCIHAL_E("invalid cmd_len");
+        return;
+      }
       /* Store the polling loop configuration */
       cmd_poll_len = *cmd_len;
       memset(&cmd_poll, 0, cmd_poll_len);
diff --git a/halimpl/hal/phNxpNciHal_ext.cc b/halimpl/hal/phNxpNciHal_ext.cc
index d75b6b4..d1267d2 100755
--- a/halimpl/hal/phNxpNciHal_ext.cc
+++ b/halimpl/hal/phNxpNciHal_ext.cc
@@ -679,7 +679,8 @@ NFCSTATUS phNxpNciHal_write_ext(uint16_t* cmd_len, uint8_t* p_cmd_data,
     }
   }
 
-  if (retval == 0x01 && p_cmd_data[0] == 0x21 && p_cmd_data[1] == 0x00) {
+  if (*cmd_len <= (NCI_MAX_DATA_LEN - 3) &&
+      retval == 0x01 && p_cmd_data[0] == 0x21 && p_cmd_data[1] == 0x00) {
     NXPLOG_NCIHAL_D("Going through extns - Adding Mifare in RF Discovery");
     p_cmd_data[2] += 3;
     p_cmd_data[3] += 1;
@@ -793,7 +794,8 @@ NFCSTATUS phNxpNciHal_write_ext(uint16_t* cmd_len, uint8_t* p_cmd_data,
     phNxpNciHal_print_packet("RECV", p_rsp_data, 5);
     //        status = NFCSTATUS_FAILED;
     NXPLOG_NCIHAL_D("> Going through workaround - Dirty Set Config - End ");
-  } else if (p_cmd_data[0] == 0x21 && p_cmd_data[1] == 0x00) {
+  } else if (*cmd_len <= (NCI_MAX_DATA_LEN - 3) &&
+             p_cmd_data[0] == 0x21 && p_cmd_data[1] == 0x00) {
     NXPLOG_NCIHAL_D(
         "> Going through workaround - Add Mifare Classic in Discovery Map");
     p_cmd_data[*cmd_len] = 0x80;
@@ -942,6 +944,10 @@ NFCSTATUS phNxpNciHal_send_ext_cmd(uint16_t cmd_len, uint8_t* p_cmd) {
  ******************************************************************************/
 NFCSTATUS phNxpNciHal_send_ese_hal_cmd(uint16_t cmd_len, uint8_t* p_cmd) {
   NFCSTATUS status = NFCSTATUS_FAILED;
+  if (cmd_len > NCI_MAX_DATA_LEN) {
+    NXPLOG_NCIHAL_E("cmd_len exceeds limit NCI_MAX_DATA_LEN");
+    return status;
+  }
   nxpncihal_ctrl.cmd_len = cmd_len;
   memcpy(nxpncihal_ctrl.p_cmd_data, p_cmd, cmd_len);
   status = phNxpNciHal_process_ext_cmd_rsp(nxpncihal_ctrl.cmd_len,