Fix for potential OOB write due to missing boundary check. am: 471e6431b8 am: e04e7fd2f6 am: 8a931bbafb
Original change: https://android-review.googlesource.com/c/platform/hardware/nxp/secure_element/+/2628857
Change-Id: I26b9a527fa9cb47f069e05766fe86bf6c7cc967f
Signed-off-by: Automerger Merge Worker <[email protected]>
diff --git a/pn8x/libese-spi/p73/lib/phNxpEse_Api.cpp b/pn8x/libese-spi/p73/lib/phNxpEse_Api.cpp
index 9db2d3b..1fb73fe 100644
--- a/pn8x/libese-spi/p73/lib/phNxpEse_Api.cpp
+++ b/pn8x/libese-spi/p73/lib/phNxpEse_Api.cpp
@@ -1,6 +1,6 @@
/******************************************************************************
*
- * Copyright 2018 NXP
+ * Copyright 2018,2023 NXP
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -999,6 +999,10 @@
*
******************************************************************************/
ESESTATUS phNxpEse_WriteFrame(uint32_t data_len, const uint8_t* p_data) {
+ if (data_len > MAX_DATA_LEN) {
+ ALOGE("%s Data length causes oob write error", __FUNCTION__);
+ return ESESTATUS_FAILED;
+ }
ESESTATUS status = ESESTATUS_INVALID_PARAMETER;
int32_t dwNoBytesWrRd = 0;
ALOGD_IF(ese_debug_enabled, "Enter %s ", __FUNCTION__);
diff --git a/snxxx/libese-spi/p73/lib/phNxpEse_Api.cpp b/snxxx/libese-spi/p73/lib/phNxpEse_Api.cpp
index 5fc188e..09d9df9 100644
--- a/snxxx/libese-spi/p73/lib/phNxpEse_Api.cpp
+++ b/snxxx/libese-spi/p73/lib/phNxpEse_Api.cpp
@@ -1567,6 +1567,10 @@
*
******************************************************************************/
ESESTATUS phNxpEse_WriteFrame(uint32_t data_len, uint8_t* p_data) {
+ if (data_len > MAX_DATA_LEN || data_len == 0) {
+ ALOGE("%s Data length causes oob write error", __FUNCTION__);
+ return ESESTATUS_FAILED;
+ }
ESESTATUS status = ESESTATUS_INVALID_PARAMETER;
int32_t dwNoBytesWrRd = 0;
NXP_LOG_ESE_D("Enter %s ", __FUNCTION__);
