Fix heap overflow in NFA_SendRawFrame() Bug: 120664978 Test: NFC enable/disable Change-Id: I1b6a062fb5bf10364a20e99faf4adef13a478d22 (cherry picked from commit fc81ec955925391d772214043be62e48a6d65275)

commit: ff1ee6035c293c20fe9e69e8034b3547471be402 [log] [tgz]
author: Ruchi Kandoi <kandoiruchi@google.com> Mon Jan 07 16:17:48 2019 -0800
committer: JP Sugarbroad <jpsugar@google.com> Mon Jan 14 14:55:26 2019 -0800
tree: b78960bf83bd30e199fad50890b7b09aec80067a
parent: fcbdbe123bac453fd0ecf963d0f2c7a9392fe913 [diff]
diff --git a/src/nfa/dm/nfa_dm_api.c b/src/nfa/dm/nfa_dm_api.c
index 89f667f..2b55941 100644
--- a/src/nfa/dm/nfa_dm_api.c
+++ b/src/nfa/dm/nfa_dm_api.c

@@ -22,7 +22,9 @@
  *  NFA interface for device management
  *
  ******************************************************************************/
+#include <log/log.h>
 #include <string.h>
+
 #include "nfa_api.h"
 #include "nfa_sys.h"
 #include "nfa_dm_int.h"
@@ -869,6 +871,12 @@
         return (NFA_STATUS_INVALID_PARAM);
 
     size = BT_HDR_SIZE + NCI_MSG_OFFSET_SIZE + NCI_DATA_HDR_SIZE + data_len;
+    /* Check for integer overflow */
+    if (size < data_len)
+    {
+        android_errorWriteLog(0x534e4554, "120664978");
+        return NFA_STATUS_INVALID_PARAM;
+    }
     if ((p_msg = (BT_HDR *) GKI_getbuf (size)) != NULL)
     {
         p_msg->event  = NFA_DM_API_RAW_FRAME_EVT;
commit	ff1ee6035c293c20fe9e69e8034b3547471be402	[log] [tgz]
author	Ruchi Kandoi <kandoiruchi@google.com>	Mon Jan 07 16:17:48 2019 -0800
committer	JP Sugarbroad <jpsugar@google.com>	Mon Jan 14 14:55:26 2019 -0800
tree	b78960bf83bd30e199fad50890b7b09aec80067a
parent	fcbdbe123bac453fd0ecf963d0f2c7a9392fe913 [diff]