Prevent Integer Overflow in rw_t3t_act_handle_check_rsp() Bug: 120503926 Test: NFC Enable/Disable Change-Id: I260c2028ab56260ae4d26ce7c4699763df20ce7a (cherry picked from commit 2fa7388789742b3e75173d998925d4c6165814a6)

commit: 1f9f29a26af633dc7f0adc95c2b22e673b5b6311 [log] [tgz]
author: Ruchi Kandoi <kandoiruchi@google.com> Mon Jan 07 17:36:52 2019 -0800
committer: JP Sugarbroad <jpsugar@google.com> Mon Jan 14 14:54:31 2019 -0800
tree: 168ee212ecad6f48d6beb2e0929b0ea73a42d916
parent: 218a6e7ee070751ec19bb5157a839607f30b2547 [diff]
diff --git a/src/nfc/tags/rw_t3t.c b/src/nfc/tags/rw_t3t.c
index a0640fa..b42bb22 100644
--- a/src/nfc/tags/rw_t3t.c
+++ b/src/nfc/tags/rw_t3t.c

@@ -1401,7 +1401,7 @@
         nfc_status = NFC_STATUS_FAILED;
         GKI_freebuf (p_msg_rsp);
     }
-    else
+    else if (p_msg_rsp->len >= T3T_MSG_RSP_OFFSET_CHECK_DATA)
     {
         /* Copy incoming data into buffer */
         p_msg_rsp->offset += T3T_MSG_RSP_OFFSET_CHECK_DATA;     /* Skip over t3t header */
@@ -1410,6 +1410,12 @@
         evt_data.p_data = p_msg_rsp;
         (*(rw_cb.p_cback)) (RW_T3T_CHECK_EVT, (tRW_DATA *) &evt_data);
     }
+    else
+    {
+        android_errorWriteLog(0x534e4554, "120503926");
+        nfc_status = NFC_STATUS_FAILED;
+        GKI_freebuf(p_msg_rsp);
+    }
 
 
     p_cb->rw_state = RW_T3T_STATE_IDLE;
commit	1f9f29a26af633dc7f0adc95c2b22e673b5b6311	[log] [tgz]
author	Ruchi Kandoi <kandoiruchi@google.com>	Mon Jan 07 17:36:52 2019 -0800
committer	JP Sugarbroad <jpsugar@google.com>	Mon Jan 14 14:54:31 2019 -0800
tree	168ee212ecad6f48d6beb2e0929b0ea73a42d916
parent	218a6e7ee070751ec19bb5157a839607f30b2547 [diff]