Integer Overflow in rw_t3t_act_handle_check_ndef_rsp
A posible integer overflow in rw_t3t_act_handle_check_ndef_rsp()
in rw_t3t.cc in nfc
Bug: 224002331
Test: build ok
Change-Id: Id46a63fa0bac7db092104c4d44bb084f275f98b3
diff --git a/src/nfc/tags/rw_t3t.cc b/src/nfc/tags/rw_t3t.cc
index 0e91498..9bd6541 100644
--- a/src/nfc/tags/rw_t3t.cc
+++ b/src/nfc/tags/rw_t3t.cc
@@ -1571,6 +1571,12 @@
* bytes (do not include padding to 16-byte boundary) */
if ((p_cb->flags & RW_T3T_FL_IS_FINAL_NDEF_SEGMENT) &&
(p_cb->ndef_attrib.ln & 0x000F)) {
+ if (rsp_num_bytes_rx < (16 - (p_cb->ndef_attrib.ln & 0x000F))) {
+ nfc_status = NFC_STATUS_FAILED;
+ GKI_freebuf(p_msg_rsp);
+ android_errorWriteLog(0x534e4554, "224002331");
+ return;
+ }
rsp_num_bytes_rx -= (16 - (p_cb->ndef_attrib.ln & 0x000F));
}
