Fix heap overflow in NFA_SendRawFrame()
Bug: 120664978
Test: NFC enable/disable
Merged-In: I1b6a062fb5bf10364a20e99faf4adef13a478d22
Change-Id: I1b6a062fb5bf10364a20e99faf4adef13a478d22
(cherry picked from commit 6c88aff4b975cbd4d4803968096f411c5ba41de4)
diff --git a/src/nfa/dm/nfa_dm_api.c b/src/nfa/dm/nfa_dm_api.c
index 474a525..6d62375 100644
--- a/src/nfa/dm/nfa_dm_api.c
+++ b/src/nfa/dm/nfa_dm_api.c
@@ -21,7 +21,9 @@
* NFA interface for device management
*
******************************************************************************/
+#include <log/log.h>
#include <string.h>
+
#include "ndef_utils.h"
#include "nfa_api.h"
#include "nfa_ce_int.h"
@@ -918,6 +920,11 @@
return (NFA_STATUS_INVALID_PARAM);
size = NFC_HDR_SIZE + NCI_MSG_OFFSET_SIZE + NCI_DATA_HDR_SIZE + data_len;
+ /* Check for integer overflow */
+ if (size < data_len) {
+ android_errorWriteLog(0x534e4554, "120664978");
+ return NFA_STATUS_INVALID_PARAM;
+ }
p_msg = (NFC_HDR*)GKI_getbuf(size);
if (p_msg != NULL) {
p_msg->event = NFA_DM_API_RAW_FRAME_EVT;