diff options
| -rwxr-xr-x | extns/impl/NxpNfc.cpp | 4 | ||||
| -rwxr-xr-x | halimpl/hal/phNxpNciHal_NfcDepSWPrio.cc | 9 | ||||
| -rwxr-xr-x | halimpl/hal/phNxpNciHal_ext.cc | 10 |
3 files changed, 20 insertions, 3 deletions
diff --git a/extns/impl/NxpNfc.cpp b/extns/impl/NxpNfc.cpp index 955499f..3aab2a9 100755 --- a/extns/impl/NxpNfc.cpp +++ b/extns/impl/NxpNfc.cpp @@ -38,6 +38,10 @@ Return<void> NxpNfc::ioctl(uint64_t ioctlType, nfc_nci_IoctlInOutData_t* pInOutData = (nfc_nci_IoctlInOutData_t*)&inOutData[0]; + if (inOutData.size() < sizeof (nfc_nci_IoctlInOutData_t)) { + ALOGE("%s invalid inOutData size, size = %d", __func__, (int)inOutData.size()); + return Void(); + } /*data from proxy->stub is copied to local data which can be updated by * underlying HAL implementation since its an inout argument*/ memcpy(&inpOutData, pInOutData, sizeof(nfc_nci_IoctlInOutData_t)); diff --git a/halimpl/hal/phNxpNciHal_NfcDepSWPrio.cc b/halimpl/hal/phNxpNciHal_NfcDepSWPrio.cc index 6e0c6e6..19c5c01 100755 --- a/halimpl/hal/phNxpNciHal_NfcDepSWPrio.cc +++ b/halimpl/hal/phNxpNciHal_NfcDepSWPrio.cc @@ -23,6 +23,8 @@ #define CLEAN_UP_TIMEOUT 250 #define MAX_WRITE_RETRY 5 +#define MAX_POLL_CMD_LEN 64 +#define NCI_HEADER_SIZE 3 /******************* Global variables *****************************************/ extern phNxpNciHal_Control_t nxpncihal_ctrl; extern NFCSTATUS phNxpNciHal_send_ext_cmd(uint16_t cmd_len, uint8_t* p_cmd); @@ -33,7 +35,7 @@ static uint8_t cmd_resume_rf_discovery[] = {0x21, 0x06, 0x01, /*RF_DISCOVER_SELECT_CMD*/ static uint8_t cmd_select_rf_discovery[] = {0x21, 0x04, 0x03, 0x01, 0x04, 0x02}; -static uint8_t cmd_poll[64]; +static uint8_t cmd_poll[MAX_POLL_CMD_LEN]; static uint8_t cmd_poll_len = 0; int discover_type = 0xFF; uint32_t cleanup_timer; @@ -509,11 +511,16 @@ NFCSTATUS phNxpNciHal_select_RF_Discovery(unsigned int RfID, ** *******************************************************************************/ void phNxpNciHal_NfcDep_cmd_ext(uint8_t* p_cmd_data, uint16_t* cmd_len) { + if (*cmd_len < NCI_HEADER_SIZE) return; if (p_cmd_data[0] == 0x21 && p_cmd_data[1] == 0x03) { if (*cmd_len == 6 && p_cmd_data[3] == 0x01 && p_cmd_data[4] == 0x02 && p_cmd_data[5] == 0x01) { /* DO NOTHING */ } else { + if (*cmd_len > MAX_POLL_CMD_LEN) { + NXPLOG_NCIHAL_E("invalid cmd_len"); + return; + } /* Store the polling loop configuration */ cmd_poll_len = *cmd_len; memset(&cmd_poll, 0, cmd_poll_len); diff --git a/halimpl/hal/phNxpNciHal_ext.cc b/halimpl/hal/phNxpNciHal_ext.cc index d75b6b4..d1267d2 100755 --- a/halimpl/hal/phNxpNciHal_ext.cc +++ b/halimpl/hal/phNxpNciHal_ext.cc @@ -679,7 +679,8 @@ NFCSTATUS phNxpNciHal_write_ext(uint16_t* cmd_len, uint8_t* p_cmd_data, } } - if (retval == 0x01 && p_cmd_data[0] == 0x21 && p_cmd_data[1] == 0x00) { + if (*cmd_len <= (NCI_MAX_DATA_LEN - 3) && + retval == 0x01 && p_cmd_data[0] == 0x21 && p_cmd_data[1] == 0x00) { NXPLOG_NCIHAL_D("Going through extns - Adding Mifare in RF Discovery"); p_cmd_data[2] += 3; p_cmd_data[3] += 1; @@ -793,7 +794,8 @@ NFCSTATUS phNxpNciHal_write_ext(uint16_t* cmd_len, uint8_t* p_cmd_data, phNxpNciHal_print_packet("RECV", p_rsp_data, 5); // status = NFCSTATUS_FAILED; NXPLOG_NCIHAL_D("> Going through workaround - Dirty Set Config - End "); - } else if (p_cmd_data[0] == 0x21 && p_cmd_data[1] == 0x00) { + } else if (*cmd_len <= (NCI_MAX_DATA_LEN - 3) && + p_cmd_data[0] == 0x21 && p_cmd_data[1] == 0x00) { NXPLOG_NCIHAL_D( "> Going through workaround - Add Mifare Classic in Discovery Map"); p_cmd_data[*cmd_len] = 0x80; @@ -942,6 +944,10 @@ NFCSTATUS phNxpNciHal_send_ext_cmd(uint16_t cmd_len, uint8_t* p_cmd) { ******************************************************************************/ NFCSTATUS phNxpNciHal_send_ese_hal_cmd(uint16_t cmd_len, uint8_t* p_cmd) { NFCSTATUS status = NFCSTATUS_FAILED; + if (cmd_len > NCI_MAX_DATA_LEN) { + NXPLOG_NCIHAL_E("cmd_len exceeds limit NCI_MAX_DATA_LEN"); + return status; + } nxpncihal_ctrl.cmd_len = cmd_len; memcpy(nxpncihal_ctrl.p_cmd_data, p_cmd, cmd_len); status = phNxpNciHal_process_ext_cmd_rsp(nxpncihal_ctrl.cmd_len, |