Fix heap overflow in NFA_SendRawFrame()
Bug: 120664978
Test: NFC enable/disable
Change-Id: I1b6a062fb5bf10364a20e99faf4adef13a478d22
(cherry picked from commit e873f932bab2335edb2503dd775fa51d3ae99f01)
diff --git a/src/nfa/dm/nfa_dm_api.cc b/src/nfa/dm/nfa_dm_api.cc
index bec5df4..197174a 100644
--- a/src/nfa/dm/nfa_dm_api.cc
+++ b/src/nfa/dm/nfa_dm_api.cc
@@ -25,6 +25,7 @@
#include <android-base/stringprintf.h>
#include <base/logging.h>
+#include <log/log.h>
#include "ndef_utils.h"
#include "nfa_api.h"
@@ -939,6 +940,11 @@
return (NFA_STATUS_INVALID_PARAM);
size = NFC_HDR_SIZE + NCI_MSG_OFFSET_SIZE + NCI_DATA_HDR_SIZE + data_len;
+ /* Check for integer overflow */
+ if (size < data_len) {
+ android_errorWriteLog(0x534e4554, "120664978");
+ return NFA_STATUS_INVALID_PARAM;
+ }
p_msg = (NFC_HDR*)GKI_getbuf(size);
if (p_msg != NULL) {
p_msg->event = NFA_DM_API_RAW_FRAME_EVT;