RESTRICT AUTOMERGE
Prevent potential underflow in nfa_hci_utils.cc
Bug: 124521372
Test: Read/Write Tag
Change-Id: I68083df77ec3a392bd5f04cb49e1d3453af87d51
diff --git a/src/nfa/hci/nfa_hci_utils.cc b/src/nfa/hci/nfa_hci_utils.cc
index d64fe6c..1751af3 100644
--- a/src/nfa/hci/nfa_hci_utils.cc
+++ b/src/nfa/hci/nfa_hci_utils.cc
@@ -25,6 +25,7 @@
#include <android-base/stringprintf.h>
#include <base/logging.h>
+#include <log/log.h>
#include "nfa_dm_int.h"
#include "nfa_hci_api.h"
@@ -305,8 +306,13 @@
bool first_pkt = true;
uint16_t data_len;
tNFA_STATUS status = NFA_STATUS_OK;
- uint16_t max_seg_hcp_pkt_size = nfa_hci_cb.buff_size - NCI_DATA_HDR_SIZE;
-
+ uint16_t max_seg_hcp_pkt_size;
+ if (nfa_hci_cb.buff_size > (NCI_DATA_HDR_SIZE + 2)) {
+ max_seg_hcp_pkt_size = nfa_hci_cb.buff_size - NCI_DATA_HDR_SIZE;
+ } else {
+ android_errorWriteLog(0x534e4554, "124521372");
+ return NFA_STATUS_NO_BUFFERS;
+ }
char buff[100];
DLOG_IF(INFO, nfc_debug_enabled) << StringPrintf(
@@ -349,8 +355,12 @@
memcpy(p_data, p_msg, data_len);
p_buf->len += data_len;
- msg_len -= data_len;
- if (msg_len > 0) p_msg += data_len;
+ if (msg_len >= data_len) {
+ msg_len -= data_len;
+ p_msg += data_len;
+ } else {
+ msg_len = 0;
+ }
}
if (HCI_LOOPBACK_DEBUG == NFA_HCI_DEBUG_ON)
