Correct corrupted CC value on MIFARE ULC tag
Correct CC value on MIFARE ULC tag if it is corrupted to avoid crash
Change-Id: I57d89d6101ecb55878501bb842271d8bd2e1f81c
diff --git a/src/nfc/include/tags_defs.h b/src/nfc/include/tags_defs.h
index 14d2859..66588cf 100644
--- a/src/nfc/include/tags_defs.h
+++ b/src/nfc/include/tags_defs.h
@@ -202,7 +202,7 @@
#define T2T_TLEN_LOCK_CTRL_TLV 3 /* Tag len for LOCK_CTRL TLV per spec */
#define T2T_TLEN_MEM_CTRL_TLV 3 /* Tag len for MEM_CTRL TLV per spec */
-#define T2T_MAX_SECTOR 2 /* Maximum number of sectors supported */
+#define T2T_MAX_SECTOR 3 /* Maximum number of sectors supported */
#define T2T_TLV_TYPE_LEN 1 /* Tlv type identifier len */
diff --git a/src/nfc/int/rw_int.h b/src/nfc/int/rw_int.h
index 908fd09..ef16926 100644
--- a/src/nfc/int/rw_int.h
+++ b/src/nfc/int/rw_int.h
@@ -191,6 +191,11 @@
#define T2T_BRCM_STATIC_MEM 0x2E01
#define T2T_BRCM_DYNAMIC_MEM 0x2E02
+/* CC2 value on MiFare ULC tag */
+#define T2T_MIFARE_ULC_TMS 0x12
+/* Possible corrupt cc2 value range on MiFare ULC tags */
+#define T2T_INVALID_CC_TMS_VAL0 0x10
+#define T2T_INVALID_CC_TMS_VAL1 0x1F
#define T2T_NDEF_NOT_DETECTED 0x00
#define T2T_NDEF_DETECTED 0x01
#define T2T_NDEF_READ 0x02
diff --git a/src/nfc/tags/rw_t2t.c b/src/nfc/tags/rw_t2t.c
index de2de64..6f03656 100644
--- a/src/nfc/tags/rw_t2t.c
+++ b/src/nfc/tags/rw_t2t.c
@@ -191,6 +191,13 @@
{
p_t2t->b_read_hdr = TRUE;
memcpy (p_t2t->tag_hdr, p, T2T_READ_DATA_LEN);
+ /* On Ultralight - C tag, if CC is corrupt, correct it */
+ if ( (p_t2t->tag_hdr[0] == TAG_MIFARE_MID)
+ &&(p_t2t->tag_hdr[T2T_CC2_TMS_BYTE] >= T2T_INVALID_CC_TMS_VAL0)
+ &&(p_t2t->tag_hdr[T2T_CC2_TMS_BYTE] <= T2T_INVALID_CC_TMS_VAL1) )
+ {
+ p_t2t->tag_hdr[T2T_CC2_TMS_BYTE] = T2T_CC2_TMS_MULC;
+ }
}
break;
diff --git a/src/nfc/tags/rw_t2t_ndef.c b/src/nfc/tags/rw_t2t_ndef.c
index f9ba79f..5e2a197 100644
--- a/src/nfc/tags/rw_t2t_ndef.c
+++ b/src/nfc/tags/rw_t2t_ndef.c
@@ -88,6 +88,13 @@
{
p_t2t->b_read_hdr = TRUE;
memcpy (p_t2t->tag_hdr, p_data, T2T_READ_DATA_LEN);
+ /* On Ultralight - C tag, if CC is corrupt, correct it */
+ if ( (p_t2t->tag_hdr[0] == TAG_MIFARE_MID)
+ &&(p_t2t->tag_hdr[T2T_CC2_TMS_BYTE] >= T2T_INVALID_CC_TMS_VAL0)
+ &&(p_t2t->tag_hdr[T2T_CC2_TMS_BYTE] <= T2T_INVALID_CC_TMS_VAL1) )
+ {
+ p_t2t->tag_hdr[T2T_CC2_TMS_BYTE] = T2T_CC2_TMS_MULC;
+ }
}
switch (p_t2t->state)
@@ -838,6 +845,8 @@
UINT16 block;
if ( (p_t2t->tag_hdr[T2T_CC3_RWA_BYTE] != T2T_CC3_RWA_RW)
+ ||((p_t2t->tag_hdr[0] == TAG_MIFARE_MID) && (p_t2t->tag_hdr[T2T_CC2_TMS_BYTE] == T2T_CC2_TMS_MULC))
+ ||((p_t2t->tag_hdr[0] == TAG_MIFARE_MID) && (p_t2t->tag_hdr[T2T_CC2_TMS_BYTE] == T2T_CC2_TMS_MUL))
||(p_t2t->skip_dyn_locks) )
{
/* Skip reading dynamic lock bytes if CC is set as Read only or layer above instructs to skip */
@@ -849,7 +858,7 @@
}
}
- while (num_locks < p_t2t->num_lockbytes)
+ while ((num_locks < p_t2t->num_lockbytes) && (num_locks < RW_T2T_MAX_LOCK_BYTES))
{
if (p_t2t->lockbyte[num_locks].b_lock_read == FALSE)
{
@@ -2348,7 +2357,7 @@
bytes_covered = 0;
while (bytes_covered < bytes_locked_per_lock_bit)
{
- if (p_t2t->lockbyte[num_dyn_lock_bytes].lock_byte & rw_t2t_mask_bits[xx])
+ if ((p_t2t->lockbyte[num_dyn_lock_bytes].lock_byte & rw_t2t_mask_bits[xx]) && (block_count < RW_T2T_SEGMENT_SIZE))
{
/* If the bit is set then it is locked */
p_t2t->lock_attr[block_count] |= 0x01 << bits_covered;