Prevent Integer Overflow in rw_t3t_act_handle_check_rsp() Bug: 120503926 Test: NFC Enable/Disable Change-Id: I260c2028ab56260ae4d26ce7c4699763df20ce7a (cherry picked from commit cee2f35a694627e191c7bf26728f9ff7aa07414a)

commit: 23137c5e05cf6d87355af024e6494cf97a610beb [log] [tgz]
author: Ruchi Kandoi <kandoiruchi@google.com> Mon Jan 07 17:36:52 2019 -0800
committer: android-build-team Robot <android-build-team-robot@google.com> Wed Jan 16 18:57:11 2019 +0000
tree: 9c643375b0a7132cfc6dcd83b42cfe75f386606d
parent: 3ba77cf43842eea409c891e815f14261aafde289 [diff]
diff --git a/src/nfc/tags/rw_t3t.cc b/src/nfc/tags/rw_t3t.cc
index 8130730..b911f3b 100644
--- a/src/nfc/tags/rw_t3t.cc
+++ b/src/nfc/tags/rw_t3t.cc

@@ -1377,7 +1377,7 @@
         T3T_MSG_OPC_CHECK_RSP, p_t3t_rsp[T3T_MSG_RSP_OFFSET_RSPCODE]);
     nfc_status = NFC_STATUS_FAILED;
     GKI_freebuf(p_msg_rsp);
-  } else {
+  } else if (p_msg_rsp->len >= T3T_MSG_RSP_OFFSET_CHECK_DATA) {
     /* Copy incoming data into buffer */
     p_msg_rsp->offset +=
         T3T_MSG_RSP_OFFSET_CHECK_DATA; /* Skip over t3t header */
@@ -1387,6 +1387,10 @@
     tRW_DATA rw_data;
     rw_data.data = evt_data;
     (*(rw_cb.p_cback))(RW_T3T_CHECK_EVT, &rw_data);
+  } else {
+    android_errorWriteLog(0x534e4554, "120503926");
+    nfc_status = NFC_STATUS_FAILED;
+    GKI_freebuf(p_msg_rsp);
   }
 
   p_cb->rw_state = RW_T3T_STATE_IDLE;
commit	23137c5e05cf6d87355af024e6494cf97a610beb	[log] [tgz]
author	Ruchi Kandoi <kandoiruchi@google.com>	Mon Jan 07 17:36:52 2019 -0800
committer	android-build-team Robot <android-build-team-robot@google.com>	Wed Jan 16 18:57:11 2019 +0000
tree	9c643375b0a7132cfc6dcd83b42cfe75f386606d
parent	3ba77cf43842eea409c891e815f14261aafde289 [diff]