Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0aa1017f authored by Martijn Coenen's avatar Martijn Coenen
Browse files

Prevent allocation overflows by corrupt NDEF records. 

Basic sanity check for the length fields in NdefRecord; this prevents
malformed NdefRecords from crashing the vm and the entire NFC service
with it.

Bug: 4165324
Change-Id: I67b341d445d6647cb76cc24ea49afaf77de0610e
parent 1b755dea

core/jni/android_nfc_NdefMessage.cpp

+13 −0
Original line number Diff line number Diff line
@@ -102,6 +102,19 @@ static jint android_nfc_NdefMessage_parseNdefMessage(JNIEnv *e, jobject o, 
        }

        TRACE("phFriNfc_NdefRecord_Parse() returned 0x%04x", status);



        // We don't exactly know what *is* a valid length, but a simple

        // sanity check is to make sure that the length of the header

        // plus all fields does not exceed raw_msg_size. The min length

        // of the header is 3 bytes: TNF, Type Length, Payload Length

        // (ID length field is optional!)

        uint64_t indicatedMsgLength = 3 + record.TypeLength + record.IdLength +

                (uint64_t)record.PayloadLength;

        if (indicatedMsgLength >

                (uint64_t)raw_msg_size) {

            LOGE("phFri_NdefRecord_Parse: invalid length field");

            goto end;

        }



        type = e->NewByteArray(record.TypeLength);

        if (type == NULL) {

            LOGD("NFC_Set Record Type Error\n");