[RECOVERY] : Crash in nfc_ncif_cmd_timeout while sending last command
diff --git a/halimpl/pn54x/hal/phNxpNciHal.c b/halimpl/pn54x/hal/phNxpNciHal.c
index 006cdff..f5fd1f2 100644
--- a/halimpl/pn54x/hal/phNxpNciHal.c
+++ b/halimpl/pn54x/hal/phNxpNciHal.c
@@ -2066,7 +2066,7 @@
}
// Set the proper screen state
- switch (p_core_init_rsp_params[255]) {
+ switch (p_core_init_rsp_params[295]) {
case 0x0:
case 0x8:
NXPLOG_NCIHAL_E("Last Screen State Sent = 0x0");
@@ -2148,16 +2148,8 @@
}
NXPLOG_NCIHAL_E("Sending last command for Recovery ");
- /*
- * Field 35 will have total length of command HDR(2) + Length(1) + Cmd data(n).
- * - 36,37 - HDR(2).
- * - 38 - Length(1).
- * If length of last command is 0 then it doesn't need to send last command.
- * Field 35 - 38 will be 0x03 (HDR(2) + Length(1)) in all valid cases.
- * This extra check is added to avoid sending corrupt data as command.
- */
- if ((p_core_init_rsp_params[35] > 0)&&
- (p_core_init_rsp_params[35] - p_core_init_rsp_params[38] == 0x03)) {
+
+ if (p_core_init_rsp_params[35] == 1) {
if (!((p_core_init_rsp_params[36] == 0x21) &&
(p_core_init_rsp_params[37] == 0x03) &&
(*(p_core_init_rsp_params + 1) == 0x01)) &&
@@ -2170,8 +2162,7 @@
// if the last command is deactivate to idle and RF status is also idle ,
// no need to execute the command .
{
- tmp_len = p_core_init_rsp_params[35];
-
+ tmp_len = p_core_init_rsp_params[38] + 3; //Field 38 gives length of data + 3 - header and length field
/* Check for NXP ext before sending write */
status = phNxpNciHal_write_ext(
&tmp_len, (uint8_t*)&p_core_init_rsp_params[36],
@@ -2191,10 +2182,8 @@
return NFCSTATUS_SUCCESS;
}
- p_core_init_rsp_params[35] = (uint8_t)tmp_len;
-
status = phNxpNciHal_send_ext_cmd(
- p_core_init_rsp_params[35], (uint8_t*)&p_core_init_rsp_params[36]);
+ tmp_len, (uint8_t*)&p_core_init_rsp_params[36]);
if (status != NFCSTATUS_SUCCESS) {
NXPLOG_NCIHAL_E("Sending last command for Recovery Failed");
retry_core_init_cnt++;
diff --git a/src/nfc/nfc/nfc_ncif.c b/src/nfc/nfc/nfc_ncif.c
index 2e5c8f4..a8b0e66 100644
--- a/src/nfc/nfc/nfc_ncif.c
+++ b/src/nfc/nfc/nfc_ncif.c
@@ -171,16 +171,17 @@
buffer[1] = Last NFCC NCI RF State, 0:IDLE 1:DISCOVERY
buffer[2] = Length of discovery command to be sent as a part of recovery.
buffer[3~34] = Last Discovery command(including phase data).(32 byte)
- buffer[35] = Length of last command.
- buffer[36~254] = Last Command /or Last Command including Data.
- buffer[255] = Last screen state
+ buffer[35] = Indicator 0: No command to be sent after Recovery 1: Command available to be sent after recovery
+ buffer[36~294] = Last Command /or Last Command including Data.
+ buffer[295] = Last screen state
*/
uint8_t* buffer = NULL;
tNFC_CONN_CB* p_cb = NULL;
- uint16_t bufflen = 0x100;
+ uint16_t bufflen = 36 + 258 + 2; //Initial data + max command size + 1 extra buffer + 1 screenState
uint16_t fw_dwnld_status = NFC_STATUS_FAILED;
tNFC_STATUS status = NFC_STATUS_FAILED;
tNFC_FWUpdate_Info_t fw_update_inf;
+ nfc_nci_IoctlInOutData_t inpOutData;
/*Stop the command timeout timer*/
nfc_stop_timer(&nfc_cb.nci_wait_rsp_timer);
@@ -197,7 +198,7 @@
buffer[0] = 0x01;
/*Set the last screen state*/
- buffer[255] = gScreenState;
+ buffer[295] = gScreenState;
NFC_TRACE_DEBUG1("MW last RF discovery flags 0x%x",
nfa_dm_cb.disc_cb.disc_flags);
@@ -213,8 +214,10 @@
}
else {
NFC_TRACE_DEBUG0("Force FW Download !");
- nfc_cb.p_hal->ioctl(HAL_NFC_IOCTL_CHECK_FLASH_REQ, &fw_update_inf);
- nfc_cb.p_hal->ioctl(HAL_NFC_IOCTL_FW_DWNLD, &fw_dwnld_status);
+ nfc_cb.p_hal->ioctl(HAL_NFC_IOCTL_CHECK_FLASH_REQ, &inpOutData);
+ fw_update_inf = *(tNFC_FWUpdate_Info_t*)&inpOutData.out.data.fwUpdateInf;
+ nfc_cb.p_hal->ioctl(HAL_NFC_IOCTL_FW_DWNLD, &inpOutData);
+ fw_dwnld_status = inpOutData.out.data.fwDwnldStatus;
NFC_TRACE_DEBUG1("FW Download 0x%x", fw_dwnld_status);
if (fw_dwnld_status != NFC_STATUS_OK)
nfc_enabled(NFC_STATUS_FAILED, NULL);
@@ -284,18 +287,17 @@
(nfc_cb.last_cmd_buf[0] == 0x01 &&
nfc_cb.last_cmd_buf[1] == 0x00)) /*DEACTIVATE TO IDLE*/
) {
- /*Set the length of last command*/
- buffer[35] = nfc_cb.cmd_size + 3; /*HDR(2) + Length(1) + Cmd data(n)*/
+ /*Set indicating last command is available to be sent after recovery*/
+ buffer[35] = 0x01;
+
/*Copy the last HEADER*/
memcpy(&buffer[36], nfc_cb.last_hdr, NFC_SAVED_HDR_SIZE);
/*Copy the last command*/
memcpy(&buffer[38], nfc_cb.last_cmd_buf, nfc_cb.cmd_size + 1);
} else /*either CORE_RESET or CORE_INIT was the last command*/
{
- /*full length of command*/
- buffer[35] =
- 2 + 1 + nfc_cb.cmd_size; /*HDR(2) + Length(1) + Command data size(n)*/
-
+ /*Set indicating last command is available to be sent after recovery*/
+ buffer[35] = 0x01;
memcpy(&buffer[36], nfc_cb.last_hdr, NFC_SAVED_HDR_SIZE);
buffer[38] = nfc_cb.cmd_size; /*Length of last command*/
@@ -304,7 +306,6 @@
memcpy(&buffer[39], nfc_cb.last_cmd, NFC_SAVED_CMD_SIZE);
else
buffer[35] = 0x00; /*last command was CORE_INIT*/
-
if (nfc_cb.last_hdr[0] == 0x20 && nfc_cb.last_hdr[1] == 0x00)
buffer[0] = 2; /*indicate last command was CORE_RESET*/
else if (nfc_cb.last_hdr[0] == 0x20 && nfc_cb.last_hdr[1] == 0x01)
@@ -337,9 +338,10 @@
}
}
NFC_TRACE_DEBUG3(
- "nfc_ncif_cmd_timeout(): Indicator:0x%X disc cmd len:0x%X last cmd "
- "len:0x%X",
- buffer[0], buffer[2], buffer[35]);
+ "nfc_ncif_cmd_timeout(): Indicator:0x%02X disc cmd len:0x%02X last cmd "
+ "len:0x%02X",
+ buffer[0], buffer[2], buffer[38]);
+
nfc_cb.p_hal->core_initialized(bufflen, buffer);
if (buffer != NULL) free(buffer);
NFC_TRACE_DEBUG0("nfc_ncif_cmd_timeout(): exit");