[Kona : DF200422-00681] Fix security weakness

- Fix memcpy heap buffer overflow

Signed-off-by: Jihoon Jung <jh8801.jung@samsung.com>

diff --git a/src/commonlib/net_nfc_util_ndef_message.c b/src/commonlib/net_nfc_util_ndef_message.c
index cf34468355e408025e205484ed3e1b54fbc47fda..e17ab3c676a298f7f8c4320662ace5237c904401 100644 (file)
--- a/src/commonlib/net_nfc_util_ndef_message.c
+++ b/src/commonlib/net_nfc_util_ndef_message.c
@@ -125,18 +125,22 @@ net_nfc_error_e net_nfc_util_convert_rawdata_to_ndef_message(data_s * rawdata, n
        uint8_t *last = NULL;
        uint8_t ndef_header = 0;
        net_nfc_error_e result = NET_NFC_OK;
+       int current_index, last_index;
 
        if (rawdata == NULL || ndef == NULL)
                return NET_NFC_NULL_PARAMETER;
 
        current = rawdata->buffer;
+       current_index = 0;
        last = current + rawdata->length;
+       last_index = rawdata->length;
 
        if (rawdata->length < 3)
                return NET_NFC_INVALID_FORMAT;
 
        for (ndef->recordCount = 0; current < last; ndef->recordCount++) {
                ndef_header = *current++;
+               current_index++;
 
                if (ndef->recordCount == 0) {
                        /* first record has MB field */
@@ -169,10 +173,12 @@ net_nfc_error_e net_nfc_util_convert_rawdata_to_ndef_message(data_s * rawdata, n
                newRec->TNF = ndef_header & NET_NFC_NDEF_RECORD_MASK_TNF;
 
                newRec->type_s.length = *current++;
+               current_index++;
 
                /* SR = 1 -> payload is 1 byte, SR = 0 -> payload is 4 bytes */
                if (ndef_header & NET_NFC_NDEF_RECORD_MASK_SR) {
                        newRec->payload_s.length = *current++;
+                       current_index++;
                } else {
                        newRec->payload_s.length = (uint32_t) ((*current) << 24);
                        current++;
@@ -185,13 +191,17 @@ net_nfc_error_e net_nfc_util_convert_rawdata_to_ndef_message(data_s * rawdata, n
 
                        newRec->payload_s.length += (uint32_t) ((*current));
                        current++;
+
+                       current_index += 4;
                }
 
                /* ID length check */
-               if (ndef_header & NET_NFC_NDEF_RECORD_MASK_IL)
+               if (ndef_header & NET_NFC_NDEF_RECORD_MASK_IL) {
                        newRec->id_s.length = *current++;
-               else
+                       current_index++;
+               } else {
                        newRec->id_s.length = 0;
+               }
 
                /* to do : chunked record */
 
@@ -210,6 +220,15 @@ net_nfc_error_e net_nfc_util_convert_rawdata_to_ndef_message(data_s * rawdata, n
                        }
                }
 
+               current_index += newRec->type_s.length;
+               current_index += newRec->id_s.length;
+               current_index += newRec->payload_s.length;
+
+               if (current_index > last_index) {
+                       result = NET_NFC_INVALID_FORMAT;
+                       goto error;
+               }
+
                /* put Type buffer */
                if (newRec->type_s.length > 0) {
                        _net_nfc_util_alloc_mem(newRec->type_s.buffer, newRec->type_s.length);