Potential OOB write in CE_SendRawFrame
Bug: 157649398
Test: build ok
Change-Id: I70bd34dd1b5ded4314950ace52d497d1ea1e7452
diff --git a/src/nfc/tags/ce_main.cc b/src/nfc/tags/ce_main.cc
index 27c218c..1afc848 100644
--- a/src/nfc/tags/ce_main.cc
+++ b/src/nfc/tags/ce_main.cc
@@ -27,6 +27,7 @@
#include <android-base/stringprintf.h>
#include <base/logging.h>
+#include <log/log.h>
#include "nfc_target.h"
@@ -64,6 +65,12 @@
uint8_t* p;
if (ce_cb.p_cback) {
+ if (data_len > GKI_get_pool_bufsize(NFC_RW_POOL_ID) - NCI_MSG_OFFSET_SIZE -
+ NCI_DATA_HDR_SIZE - 1) {
+ android_errorWriteLog(0x534e4554, "157649398");
+ return NFC_STATUS_FAILED;
+ }
+
/* a valid opcode for RW */
p_data = (NFC_HDR*)GKI_getpoolbuf(NFC_RW_POOL_ID);
if (p_data) {