[pn532_spi] Fix preamble check logic and OOB access when full_len is zero (#14486)

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jonathan Swoboda
2026-03-05 14:09:34 -05:00
committed by GitHub
parent e1d0c6da09
commit cce7a09fa9
+10 -4
View File
@@ -88,9 +88,10 @@ bool PN532Spi::read_response(uint8_t command, std::vector<uint8_t> &data) {
#endif
ESP_LOGV(TAG, "Header data: %s", format_hex_pretty_to(hex_buf, sizeof(hex_buf), header.data(), header.size()));
if (header[0] != 0x00 && header[1] != 0x00 && header[2] != 0xFF) {
if (header[0] != 0x00 || header[1] != 0x00 || header[2] != 0xFF) {
// invalid packet
ESP_LOGV(TAG, "read data invalid preamble!");
this->disable();
return false;
}
@@ -100,15 +101,20 @@ bool PN532Spi::read_response(uint8_t command, std::vector<uint8_t> &data) {
if (!valid_header) {
ESP_LOGV(TAG, "read data invalid header!");
this->disable();
return false;
}
// full length of message, including command response
// full length of message, including command response (minimum 2: TFI + command response)
uint8_t full_len = header[3];
if (full_len < 2) {
ESP_LOGV(TAG, "read data has no payload");
this->disable();
return false;
}
// length of data, excluding command response
uint8_t len = full_len - 1;
if (full_len == 0)
len = 0;
ESP_LOGV(TAG, "Reading response of length %d", len);