Prevent OOB error in nfc_ncif_proc_get_routing()
Test: Tag reading; Card Emulation
Bug: 117554809
Change-Id: Ib49af2eadf870f030a6cddeec390dc498bd5078c
(cherry picked from commit 8c29aa84918b79d3bad0a68430a2dfbeec41bde6)
diff --git a/src/nfc/nfc/nfc_ncif.c b/src/nfc/nfc/nfc_ncif.c
index ed83c18..bf906f1 100644
--- a/src/nfc/nfc/nfc_ncif.c
+++ b/src/nfc/nfc/nfc_ncif.c
@@ -27,6 +27,7 @@
#include <log/log.h>
#include <stdlib.h>
#include <string.h>
+
#include "nfc_target.h"
#if NFC_INCLUDED == TRUE
@@ -1195,8 +1196,13 @@
{
tl = *(p+1);
tl += NFC_TL_SIZE;
- STREAM_TO_ARRAY (pn, p, tl);
evt_data.tlv_size += tl;
+ if (evt_data.tlv_size > NFC_MAX_EE_TLV_SIZE) {
+ android_errorWriteLog(0x534e4554, "117554809");
+ NFC_TRACE_ERROR1("%s Invalid data format", __func__);
+ return;
+ }
+ STREAM_TO_ARRAY (pn, p, tl);
pn += tl;
}
(*nfc_cb.p_resp_cback) (NFC_GET_ROUTING_REVT, (tNFC_RESPONSE *) &evt_data);