Prevent Integer Overflow in rw_t3t_act_handle_check_rsp()
Bug: 120503926
Test: NFC Enable/Disable
Change-Id: I260c2028ab56260ae4d26ce7c4699763df20ce7a
(cherry picked from commit cee2f35a694627e191c7bf26728f9ff7aa07414a)
diff --git a/src/nfc/tags/rw_t3t.cc b/src/nfc/tags/rw_t3t.cc
index 8130730..b911f3b 100644
--- a/src/nfc/tags/rw_t3t.cc
+++ b/src/nfc/tags/rw_t3t.cc
@@ -1377,7 +1377,7 @@
T3T_MSG_OPC_CHECK_RSP, p_t3t_rsp[T3T_MSG_RSP_OFFSET_RSPCODE]);
nfc_status = NFC_STATUS_FAILED;
GKI_freebuf(p_msg_rsp);
- } else {
+ } else if (p_msg_rsp->len >= T3T_MSG_RSP_OFFSET_CHECK_DATA) {
/* Copy incoming data into buffer */
p_msg_rsp->offset +=
T3T_MSG_RSP_OFFSET_CHECK_DATA; /* Skip over t3t header */
@@ -1387,6 +1387,10 @@
tRW_DATA rw_data;
rw_data.data = evt_data;
(*(rw_cb.p_cback))(RW_T3T_CHECK_EVT, &rw_data);
+ } else {
+ android_errorWriteLog(0x534e4554, "120503926");
+ nfc_status = NFC_STATUS_FAILED;
+ GKI_freebuf(p_msg_rsp);
}
p_cb->rw_state = RW_T3T_STATE_IDLE;