Fix heap overflow in nfa_rw_store_ndef_rx_buf
Test: Read Tag
Bug: 123583388
Change-Id: I712c1af4442dea526a1fb27123eefdb2ac60c830
(cherry picked from commit 74efd480bb66cfa7c60e85c0cff76096bc179405)
diff --git a/src/nfa/rw/nfa_rw_act.c b/src/nfa/rw/nfa_rw_act.c
index 5a1091d..1daac19 100644
--- a/src/nfa/rw/nfa_rw_act.c
+++ b/src/nfa/rw/nfa_rw_act.c
@@ -22,6 +22,7 @@
* This file contains the action functions the NFA_RW state machine.
*
******************************************************************************/
+#include <log/log.h>
#include <string.h>
#include "nfa_rw_int.h"
#include "nfa_dm_int.h"
@@ -77,9 +78,19 @@
p = (UINT8 *)(p_rw_data->data.p_data + 1) + p_rw_data->data.p_data->offset;
- /* Save data into buffer */
- memcpy(&nfa_rw_cb.p_ndef_buf[nfa_rw_cb.ndef_rd_offset], p, p_rw_data->data.p_data->len);
- nfa_rw_cb.ndef_rd_offset += p_rw_data->data.p_data->len;
+ if ((nfa_rw_cb.ndef_rd_offset + p_rw_data->data.p_data->len) <=
+ nfa_rw_cb.ndef_cur_size)
+ {
+ /* Save data into buffer */
+ memcpy(&nfa_rw_cb.p_ndef_buf[nfa_rw_cb.ndef_rd_offset], p,
+ p_rw_data->data.p_data->len);
+ nfa_rw_cb.ndef_rd_offset += p_rw_data->data.p_data->len;
+ }
+ else
+ {
+ NFA_TRACE_ERROR0("RW_SetActivatedTagType failed.");
+ android_errorWriteLog(0x534e4554, "123583388");
+ }
GKI_freebuf(p_rw_data->data.p_data);
p_rw_data->data.p_data = NULL;