Add AID length check to prevent OOB access
Bug: 275640120
Bug: 270152278
Bug: 271118806
Test: atest VtsAidlHalNfcTargetTest
Merged-In: Ie587dac1cc8a35e55be3ed2a8ab0dbadbe472511
Change-Id: Ie587dac1cc8a35e55be3ed2a8ab0dbadbe472511
diff --git a/secure_element/1.0/SecureElement.cpp b/secure_element/1.0/SecureElement.cpp
index 8a2c476..0441150 100644
--- a/secure_element/1.0/SecureElement.cpp
+++ b/secure_element/1.0/SecureElement.cpp
@@ -43,6 +43,10 @@
#define LOG_HAL_LEVEL 4
#endif
+#ifndef MAX_AID_LEN
+#define MAX_AID_LEN 16
+#endif
+
uint8_t getResponse[5] = {0x00, 0xC0, 0x00, 0x00, 0x00};
static struct se_gto_ctx *ctx;
bool debug_log_enabled = false;
@@ -211,6 +215,12 @@
SecureElementStatus mSecureElementStatus = SecureElementStatus::IOERROR;
+ if (aid.size() > MAX_AID_LEN) {
+ ALOGE("SecureElement:%s: Bad AID size", __func__);
+ _hidl_cb(resApduBuff, SecureElementStatus::FAILED);
+ return Void();
+ }
+
uint8_t *apdu; //65536
int apdu_len = 0;
uint8_t *resp;
@@ -397,6 +407,11 @@
}
}
+ if (aid.size() > MAX_AID_LEN) {
+ ALOGE("SecureElement:%s: Bad AID size", __func__);
+ _hidl_cb(result, SecureElementStatus::FAILED);
+ return Void();
+ }
apdu_len = (int32_t)(6 + aid.size());
resp_len = 0;
diff --git a/secure_element/1.1/SecureElement.cpp b/secure_element/1.1/SecureElement.cpp
index 31c65c7..e8e7108 100644
--- a/secure_element/1.1/SecureElement.cpp
+++ b/secure_element/1.1/SecureElement.cpp
@@ -43,6 +43,10 @@
#define LOG_HAL_LEVEL 4
#endif
+#ifndef MAX_AID_LEN
+#define MAX_AID_LEN 16
+#endif
+
uint8_t getResponse[5] = {0x00, 0xC0, 0x00, 0x00, 0x00};
static struct se_gto_ctx *ctx;
bool debug_log_enabled = false;
@@ -245,6 +249,12 @@
SecureElementStatus mSecureElementStatus = SecureElementStatus::IOERROR;
+ if (aid.size() > MAX_AID_LEN) {
+ ALOGE("SecureElement:%s: Bad AID size", __func__);
+ _hidl_cb(resApduBuff, SecureElementStatus::FAILED);
+ return Void();
+ }
+
uint8_t *apdu; //65536
int apdu_len = 0;
uint8_t *resp;
@@ -436,6 +446,11 @@
}
}
+ if (aid.size() > MAX_AID_LEN) {
+ ALOGE("SecureElement:%s: Bad AID size", __func__);
+ _hidl_cb(result, SecureElementStatus::FAILED);
+ return Void();
+ }
apdu_len = (int32_t)(6 + aid.size());
resp_len = 0;
diff --git a/secure_element/1.2/SecureElement.cpp b/secure_element/1.2/SecureElement.cpp
index 59ea2ef..d835e88 100644
--- a/secure_element/1.2/SecureElement.cpp
+++ b/secure_element/1.2/SecureElement.cpp
@@ -48,6 +48,10 @@
#define LOG_HAL_LEVEL 4
#endif
+#ifndef MAX_AID_LEN
+#define MAX_AID_LEN 16
+#endif
+
uint8_t getResponse[5] = {0x00, 0xC0, 0x00, 0x00, 0x00};
static struct se_gto_ctx *ctx;
bool debug_log_enabled = false;
@@ -259,6 +263,13 @@
SecureElementStatus mSecureElementStatus = SecureElementStatus::IOERROR;
+ if (aid.size() > MAX_AID_LEN) {
+ ALOGE("SecureElement:%s: Bad AID size", __func__);
+ _hidl_cb(resApduBuff, SecureElementStatus::FAILED);
+ return Void();
+ }
+
+
uint8_t *apdu; //65536
int apdu_len = 0;
uint8_t *resp;
@@ -450,6 +461,11 @@
}
}
+ if (aid.size() > MAX_AID_LEN) {
+ ALOGE("SecureElement:%s: Bad AID size", __func__);
+ _hidl_cb(result, SecureElementStatus::FAILED);
+ return Void();
+ }
apdu_len = (int32_t)(6 + aid.size());
resp_len = 0;
diff --git a/secure_element/aidl/SecureElement.cpp b/secure_element/aidl/SecureElement.cpp
index 1ab6bca..7a34242 100644
--- a/secure_element/aidl/SecureElement.cpp
+++ b/secure_element/aidl/SecureElement.cpp
@@ -48,6 +48,10 @@
#define SUCCESS 0
#endif
+#ifndef MAX_AID_LEN
+#define MAX_AID_LEN 16
+#endif
+
uint8_t getResponse[5] = {0x00, 0xC0, 0x00, 0x00, 0x00};
static struct se_gto_ctx *ctx;
bool debug_log_enabled = false;
@@ -225,6 +229,11 @@
}
}
+ if (aid.size() > MAX_AID_LEN) {
+ ALOGE("SecureElement:%s: Bad AID size", __func__);
+ return ScopedAStatus::fromServiceSpecificError(FAILED);
+ }
+
int mSecureElementStatus = IOERROR;
uint8_t *apdu; //65536
@@ -417,6 +426,10 @@
}
}
+ if (aid.size() > MAX_AID_LEN) {
+ ALOGE("SecureElement:%s: Bad AID size", __func__);
+ return ScopedAStatus::fromServiceSpecificError(FAILED);
+ }
apdu_len = (int32_t)(6 + aid.size());
resp_len = 0;
