From 1d25d9c7849c7f239dcb93421ec1502e146fc2b3 Mon Sep 17 00:00:00 2001 From: Alisher Alikhodjaev Date: Tue, 31 Jan 2023 18:11:59 -0800 Subject: [PATCH] OOBR in NxpMfcReader::SendIncDecRestoreCmdPart2 Bug: 238177877 Test: build ok Merged-In: I2b412a44099021da923bda23fad1e17e961b86aa Change-Id: Idec58a09db2346bd340b33293cc5b67f2490b5ff (cherry picked from commit a77b3b8ceacfd75cac672ded4301fadebb3811e4) Merged-In: Idec58a09db2346bd340b33293cc5b67f2490b5ff --- SN100x/halimpl/mifare/NxpMfcReader.cc | 13 +++++++++---- SN100x/halimpl/mifare/NxpMfcReader.h | 4 ++-- 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/SN100x/halimpl/mifare/NxpMfcReader.cc b/SN100x/halimpl/mifare/NxpMfcReader.cc index 4ed6429..59429a9 100644 --- a/SN100x/halimpl/mifare/NxpMfcReader.cc +++ b/SN100x/halimpl/mifare/NxpMfcReader.cc @@ -54,13 +54,13 @@ int NxpMfcReader::Write(uint16_t mfcDataLen, const uint8_t *pMfcData) { BuildMfcCmd(&mfcTagCmdBuff[3], &mfcTagCmdBuffLen); mfcTagCmdBuff[2] = mfcTagCmdBuffLen; - mfcDataLen = mfcTagCmdBuffLen + NCI_HEADER_SIZE; - int writtenDataLen = phNxpNciHal_write_internal(mfcDataLen, mfcTagCmdBuff); + int writtenDataLen = phNxpNciHal_write_internal( + mfcTagCmdBuffLen + NCI_HEADER_SIZE, mfcTagCmdBuff); /* send TAG_CMD part 2 for Mifare increment ,decrement and restore commands */ if (mfcTagCmdBuff[4] == eMifareDec || mfcTagCmdBuff[4] == eMifareInc || mfcTagCmdBuff[4] == eMifareRestore) { - SendIncDecRestoreCmdPart2(pMfcData); + SendIncDecRestoreCmdPart2(mfcDataLen, pMfcData); } return writtenDataLen; } @@ -264,7 +264,8 @@ void NxpMfcReader::AuthForWrite() { ** Returns None ** *******************************************************************************/ -void NxpMfcReader::SendIncDecRestoreCmdPart2(const uint8_t *mfcData) { +void NxpMfcReader::SendIncDecRestoreCmdPart2(uint16_t mfcDataLen, + const uint8_t *mfcData) { NFCSTATUS status = NFCSTATUS_SUCCESS; /* Build TAG_CMD part 2 for Mifare increment ,decrement and restore commands*/ uint8_t incDecRestorePart2[] = {0x00, 0x00, 0x05, (uint8_t)eMfRawDataXchgHdr, @@ -272,6 +273,10 @@ void NxpMfcReader::SendIncDecRestoreCmdPart2(const uint8_t *mfcData) { uint8_t incDecRestorePart2Size = (sizeof(incDecRestorePart2) / sizeof(incDecRestorePart2[0])); if (mfcData[3] == eMifareInc || mfcData[3] == eMifareDec) { + if (incDecRestorePart2Size >= mfcDataLen) { + incDecRestorePart2Size = mfcDataLen - 1; + android_errorWriteLog(0x534e4554, "238177877"); + } for (int i = 4; i < incDecRestorePart2Size; i++) { incDecRestorePart2[i] = mfcData[i + 1]; } diff --git a/SN100x/halimpl/mifare/NxpMfcReader.h b/SN100x/halimpl/mifare/NxpMfcReader.h index 3b353ba..0792df5 100644 --- a/SN100x/halimpl/mifare/NxpMfcReader.h +++ b/SN100x/halimpl/mifare/NxpMfcReader.h @@ -109,7 +109,7 @@ class NxpMfcReader { void BuildIncDecCmd(); void CalcSectorAddress(); void AuthForWrite(); - void SendIncDecRestoreCmdPart2(const uint8_t *mfcData); + void SendIncDecRestoreCmdPart2(uint16_t mfcDataLen, const uint8_t *mfcData); public: int Write(uint16_t mfcDataLen, const uint8_t *pMfcData); @@ -117,4 +117,4 @@ class NxpMfcReader { NFCSTATUS CheckMfcResponse(uint8_t *pTransceiveData, uint16_t transceiveDataLen); static NxpMfcReader &getInstance(); -}; \ No newline at end of file +};