Potential OOB write in rw_t3t_send_raw_frame
Bug: 157649467
Test: build ok
Change-Id: Iab1285d9609d35c92074b49749e8c75a3ca1b2ea
diff --git a/src/nfc/tags/rw_t3t.cc b/src/nfc/tags/rw_t3t.cc
index 4b41b8a..60afe38 100644
--- a/src/nfc/tags/rw_t3t.cc
+++ b/src/nfc/tags/rw_t3t.cc
@@ -1199,6 +1199,12 @@
uint8_t* p;
tNFC_STATUS retval = NFC_STATUS_OK;
+ /* GKI_BUF2 is used for NFC_RW_POOL */
+ if (len > GKI_BUF2_SIZE - NCI_MSG_OFFSET_SIZE - NCI_DATA_HDR_SIZE - 2) {
+ android_errorWriteLog(0x534e4554, "157649467");
+ return NFC_STATUS_NO_BUFFERS;
+ }
+
p_cmd_buf = rw_t3t_get_cmd_buf();
if (p_cmd_buf != nullptr) {
/* Construct T3T message */