Fix heap overflow in nfa_rw_store_ndef_rx_buf
Test: Read Tag
Bug: 123583388
Merged-In: I712c1af4442dea526a1fb27123eefdb2ac60c830
Change-Id: I712c1af4442dea526a1fb27123eefdb2ac60c830
(cherry picked from commit 11d0ac5feac5a933255a524ffc12501d566ac81b)
diff --git a/src/nfa/rw/nfa_rw_act.cc b/src/nfa/rw/nfa_rw_act.cc
index e7f29dd..7f9dcfa 100644
--- a/src/nfa/rw/nfa_rw_act.cc
+++ b/src/nfa/rw/nfa_rw_act.cc
@@ -21,6 +21,7 @@
* This file contains the action functions the NFA_RW state machine.
*
******************************************************************************/
+#include <log/log.h>
#include <string.h>
#include <android-base/stringprintf.h>
@@ -82,10 +83,16 @@
p = (uint8_t*)(p_rw_data->data.p_data + 1) + p_rw_data->data.p_data->offset;
- /* Save data into buffer */
- memcpy(&nfa_rw_cb.p_ndef_buf[nfa_rw_cb.ndef_rd_offset], p,
- p_rw_data->data.p_data->len);
- nfa_rw_cb.ndef_rd_offset += p_rw_data->data.p_data->len;
+ if ((nfa_rw_cb.ndef_rd_offset + p_rw_data->data.p_data->len) <=
+ nfa_rw_cb.ndef_cur_size) {
+ /* Save data into buffer */
+ memcpy(&nfa_rw_cb.p_ndef_buf[nfa_rw_cb.ndef_rd_offset], p,
+ p_rw_data->data.p_data->len);
+ nfa_rw_cb.ndef_rd_offset += p_rw_data->data.p_data->len;
+ } else {
+ LOG(ERROR) << StringPrintf("Exceed ndef_cur_size error");
+ android_errorWriteLog(0x534e4554, "123583388");
+ }
GKI_freebuf(p_rw_data->data.p_data);
p_rw_data->data.p_data = NULL;
