Fix heap overflow in NFA_SendRawFrame() Bug: 120664978 Test: NFC enable/disable Change-Id: I1b6a062fb5bf10364a20e99faf4adef13a478d22 (cherry picked from commit e873f932bab2335edb2503dd775fa51d3ae99f01)

commit: cbc4823029edabb86bf8d6ac481bbc005ca942b2 [log] [tgz]
author: Ruchi Kandoi <kandoiruchi@google.com> Mon Jan 07 16:17:48 2019 -0800
committer: JP Sugarbroad <jpsugar@google.com> Mon Jan 14 16:44:25 2019 -0800
tree: 698f5f10de896b7aabe5920713e3e2ad7d326182
parent: b5f3ef4acb917ca2243dcc36b93793867f15f709 [diff]
diff --git a/src/nfa/dm/nfa_dm_api.cc b/src/nfa/dm/nfa_dm_api.cc
index bec5df4..197174a 100644
--- a/src/nfa/dm/nfa_dm_api.cc
+++ b/src/nfa/dm/nfa_dm_api.cc

@@ -25,6 +25,7 @@
 
 #include <android-base/stringprintf.h>
 #include <base/logging.h>
+#include <log/log.h>
 
 #include "ndef_utils.h"
 #include "nfa_api.h"
@@ -939,6 +940,11 @@
     return (NFA_STATUS_INVALID_PARAM);
 
   size = NFC_HDR_SIZE + NCI_MSG_OFFSET_SIZE + NCI_DATA_HDR_SIZE + data_len;
+  /* Check for integer overflow */
+  if (size < data_len) {
+    android_errorWriteLog(0x534e4554, "120664978");
+    return NFA_STATUS_INVALID_PARAM;
+  }
   p_msg = (NFC_HDR*)GKI_getbuf(size);
   if (p_msg != NULL) {
     p_msg->event = NFA_DM_API_RAW_FRAME_EVT;
commit	cbc4823029edabb86bf8d6ac481bbc005ca942b2	[log] [tgz]
author	Ruchi Kandoi <kandoiruchi@google.com>	Mon Jan 07 16:17:48 2019 -0800
committer	JP Sugarbroad <jpsugar@google.com>	Mon Jan 14 16:44:25 2019 -0800
tree	698f5f10de896b7aabe5920713e3e2ad7d326182
parent	b5f3ef4acb917ca2243dcc36b93793867f15f709 [diff]