From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Alisher Alikhodjaev <alisher@google.com>
Date: Thu, 17 Mar 2022 15:39:20 -0700
Subject: [PATCH] Out of Bounds Read in nfa_dm_check_set_config

Bug: 221216105
Test: build ok
Change-Id: I1930de8531f6c15e6be400a7b1ab3e7cf86b4229
(cherry picked from commit 88c5c267e889699c71412022e3fcb03d20100e99)
Merged-In: I1930de8531f6c15e6be400a7b1ab3e7cf86b4229
---
 src/nfa/dm/nfa_dm_main.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/nfa/dm/nfa_dm_main.c b/src/nfa/dm/nfa_dm_main.c
index 688de0e0..b0fd1777 100644
--- a/src/nfa/dm/nfa_dm_main.c
+++ b/src/nfa/dm/nfa_dm_main.c
@@ -283,6 +283,14 @@ tNFA_STATUS nfa_dm_check_set_config(uint8_t tlv_list_len, uint8_t* p_tlv_list,
     p_value = p_tlv_list + xx + 2;
     p_cur_len = NULL;
 
+        if (len > (tlv_list_len - xx - 2))
+        {
+            NFA_TRACE_ERROR2 ("error: invalid TLV length: t:0x%x, l:%d",
+                                       type, len);
+            android_errorWriteLog(0x534e4554, "221216105");
+            return NFA_STATUS_FAILED;
+        }
+
     switch (type) {
       /*
       **  Poll F Configuration