Potential OOB write in CE_SendRawFrame

Bug: 157649398
Test: build ok
Change-Id: I70bd34dd1b5ded4314950ace52d497d1ea1e7452
diff --git a/src/nfc/tags/ce_main.cc b/src/nfc/tags/ce_main.cc
index 27c218c..1afc848 100644
--- a/src/nfc/tags/ce_main.cc
+++ b/src/nfc/tags/ce_main.cc
@@ -27,6 +27,7 @@
 
 #include <android-base/stringprintf.h>
 #include <base/logging.h>
+#include <log/log.h>
 
 #include "nfc_target.h"
 
@@ -64,6 +65,12 @@
   uint8_t* p;
 
   if (ce_cb.p_cback) {
+    if (data_len > GKI_get_pool_bufsize(NFC_RW_POOL_ID) - NCI_MSG_OFFSET_SIZE -
+                       NCI_DATA_HDR_SIZE - 1) {
+      android_errorWriteLog(0x534e4554, "157649398");
+      return NFC_STATUS_FAILED;
+    }
+
     /* a valid opcode for RW */
     p_data = (NFC_HDR*)GKI_getpoolbuf(NFC_RW_POOL_ID);
     if (p_data) {