Potential OOB write in rw_t3t_send_raw_frame Bug: 157649467 Test: build ok Change-Id: Iab1285d9609d35c92074b49749e8c75a3ca1b2ea

commit: e518ef4b66d2e008df3fd4d73dbd7b194e7da38b [log] [tgz]
author: Alisher Alikhodjaev <alisher@google.com> Wed Jun 17 17:51:34 2020 -0700
committer: Alisher Alikhodjaev <alisher@google.com> Thu Jul 23 20:11:24 2020 +0000
tree: 13bd49ec6a526db0888aaaf48a3b1cf6d7fbbcbf
parent: 127e9905ffb8b992bb9456b5e906b2bc996095a7 [diff]
diff --git a/src/nfc/tags/rw_t3t.cc b/src/nfc/tags/rw_t3t.cc
index 4b41b8a..60afe38 100644
--- a/src/nfc/tags/rw_t3t.cc
+++ b/src/nfc/tags/rw_t3t.cc

@@ -1199,6 +1199,12 @@
   uint8_t* p;
   tNFC_STATUS retval = NFC_STATUS_OK;
 
+  /* GKI_BUF2 is used for NFC_RW_POOL */
+  if (len > GKI_BUF2_SIZE - NCI_MSG_OFFSET_SIZE - NCI_DATA_HDR_SIZE - 2) {
+    android_errorWriteLog(0x534e4554, "157649467");
+    return NFC_STATUS_NO_BUFFERS;
+  }
+
   p_cmd_buf = rw_t3t_get_cmd_buf();
   if (p_cmd_buf != nullptr) {
     /* Construct T3T message */
commit	e518ef4b66d2e008df3fd4d73dbd7b194e7da38b	[log] [tgz]
author	Alisher Alikhodjaev <alisher@google.com>	Wed Jun 17 17:51:34 2020 -0700
committer	Alisher Alikhodjaev <alisher@google.com>	Thu Jul 23 20:11:24 2020 +0000
tree	13bd49ec6a526db0888aaaf48a3b1cf6d7fbbcbf
parent	127e9905ffb8b992bb9456b5e906b2bc996095a7 [diff]