Fix heap overflow in NFA_SendRawFrame() Bug: 120664978 Test: NFC enable/disable Merged-In: I1b6a062fb5bf10364a20e99faf4adef13a478d22 Change-Id: I1b6a062fb5bf10364a20e99faf4adef13a478d22 (cherry picked from commit 6c88aff4b975cbd4d4803968096f411c5ba41de4)

commit: 51466b6a3affd8eeeb7d1ef57d87ffa335fbc47d [log] [tgz]
author: Ruchi Kandoi <kandoiruchi@google.com> Mon Jan 07 16:17:48 2019 -0800
committer: JP Sugarbroad <jpsugar@google.com> Mon Jan 14 16:23:29 2019 -0800
tree: 4930fda0ac610c0fc2dbb7a160b8d4fb3bab8494
parent: 5830caa72e1103db24cd5353ef958c8f6228482c [diff]
diff --git a/src/nfa/dm/nfa_dm_api.c b/src/nfa/dm/nfa_dm_api.c
index 474a525..6d62375 100644
--- a/src/nfa/dm/nfa_dm_api.c
+++ b/src/nfa/dm/nfa_dm_api.c

@@ -21,7 +21,9 @@
  *  NFA interface for device management
  *
  ******************************************************************************/
+#include <log/log.h>
 #include <string.h>
+
 #include "ndef_utils.h"
 #include "nfa_api.h"
 #include "nfa_ce_int.h"
@@ -918,6 +920,11 @@
     return (NFA_STATUS_INVALID_PARAM);
 
   size = NFC_HDR_SIZE + NCI_MSG_OFFSET_SIZE + NCI_DATA_HDR_SIZE + data_len;
+  /* Check for integer overflow */
+  if (size < data_len) {
+    android_errorWriteLog(0x534e4554, "120664978");
+    return NFA_STATUS_INVALID_PARAM;
+  }
   p_msg = (NFC_HDR*)GKI_getbuf(size);
   if (p_msg != NULL) {
     p_msg->event = NFA_DM_API_RAW_FRAME_EVT;
commit	51466b6a3affd8eeeb7d1ef57d87ffa335fbc47d	[log] [tgz]
author	Ruchi Kandoi <kandoiruchi@google.com>	Mon Jan 07 16:17:48 2019 -0800
committer	JP Sugarbroad <jpsugar@google.com>	Mon Jan 14 16:23:29 2019 -0800
tree	4930fda0ac610c0fc2dbb7a160b8d4fb3bab8494
parent	5830caa72e1103db24cd5353ef958c8f6228482c [diff]