I’ve pulled both versions of rw_i93_send_to_upper (at 0x1DDE38) and compared them. In the “_new” build you see this guard immediately before the call to GKI_getbuf(length + NFC_HDR_SIZE):

if (UINT16_MAX - length < NFC_HDR_SIZE) { /* fail fast – overflow would happen / rw_data.i93_cmd_cmpl.status = NFC_STATUS_FAILED; rw_data.i93_cmd_cmpl.command = p_i93->sent_cmd; rw_cb.tcb.i93.sent_cmd = 0; event = RW_I93_CMD_CMPL_EVT; break; } p_buff = (NFC_HDR)GKI_getbuf((uint16_t)(length + NFC_HDR_SIZE));*_

That bounds-check is exactly the CVE-2023-21241 fix. When you look at the “old” build, that entire “if (UINT16_MAX – length < NFC_HDR_SIZE)” block is missing. The code simply goes on to do GKI_getbuf(length + NFC_HDR_SIZE) without any range check.

Conclusion: the old binary lacks the overflow check and is vulnerable to CVE-2023-21241.

Here’s the decompiled rw_i93_send_to_upper from the old (libnfc-sec.so_old) build at 0x001DDE38. Notice the missing check for UINT16_MAX – length < NFC_HDR_SIZE:

You can see there is no early if (UINT16_MAX – length < NFC_HDR_SIZE) … check before the eventual buffer allocation call. That missing guard is exactly why this version is vulnerable._

Below is a small unified‐diff showing exactly what was added to the old rw_i93_send_to_upper to produce the new, CVE-patched version. I’ve aligned it to the original C source rather than the decompiler’s temporaries:

In the old binary this if (UINT16_MAX - length < NFC_HDR_SIZE) … break; block does not exist, so it directly calls_

without any bounds check. That missing guard is exactly the CVE-2023-21241 fix.

Below is a minimal unified diff of the decompiled bodies, highlighting only the lines that were inserted in the “new” binary. I’ve abstracted away some of the decompiler clutter to focus on the real change:

All other lines in the decompiled functions are identical; the only semantic difference is that 9-line guard block immediately preceding the call to GKI_getbuf(...)._