Prevent OOB write in phNxpNciHal_send_ese_hal_cmd

Bug: 139736386 Test: manual Change-Id: Ibb9fa346038c3645eaf80bd814bf880d9a3c3e7f
author: George Chang <georgekgchang@google.com> 2020-02-20 21:58:58 +0800
committer: George Chang <georgekgchang@google.com> 2020-02-21 06:01:02 +0000
commit: 4e4e0923eb1841698ad539403b7c0687bb2920b0 (patch)
tree: 60c05d0bc3a9fc9be7c3b83a3356c02fd1a4dd2e /halimpl/hal
parent: f384f95bfe983c90d6d549388bbc903ac8f50c3b (diff)
download: android_hardware_nxp_nfc-4e4e0923eb1841698ad539403b7c0687bb2920b0.tar.gz
android_hardware_nxp_nfc-4e4e0923eb1841698ad539403b7c0687bb2920b0.tar.bz2
android_hardware_nxp_nfc-4e4e0923eb1841698ad539403b7c0687bb2920b0.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/halimpl/hal/phNxpNciHal_ext.cc b/halimpl/hal/phNxpNciHal_ext.cc
index 7908141..1bbd25f 100755
--- a/halimpl/hal/phNxpNciHal_ext.cc
+++ b/halimpl/hal/phNxpNciHal_ext.cc
@@ -901,6 +901,10 @@ NFCSTATUS phNxpNciHal_send_ext_cmd(uint16_t cmd_len, uint8_t* p_cmd) {
  ******************************************************************************/
 NFCSTATUS phNxpNciHal_send_ese_hal_cmd(uint16_t cmd_len, uint8_t* p_cmd) {
   NFCSTATUS status = NFCSTATUS_FAILED;
+  if (cmd_len > NCI_MAX_DATA_LEN) {
+    NXPLOG_NCIHAL_E("cmd_len exceeds limit NCI_MAX_DATA_LEN");
+    return status;
+  }
   nxpncihal_ctrl.cmd_len = cmd_len;
   memcpy(nxpncihal_ctrl.p_cmd_data, p_cmd, cmd_len);
   status = phNxpNciHal_process_ext_cmd_rsp(nxpncihal_ctrl.cmd_len,
author	George Chang <georgekgchang@google.com>	2020-02-20 21:58:58 +0800
committer	George Chang <georgekgchang@google.com>	2020-02-21 06:01:02 +0000
commit	4e4e0923eb1841698ad539403b7c0687bb2920b0 (patch)
tree	60c05d0bc3a9fc9be7c3b83a3356c02fd1a4dd2e /halimpl/hal
parent	f384f95bfe983c90d6d549388bbc903ac8f50c3b (diff)
download	android_hardware_nxp_nfc-4e4e0923eb1841698ad539403b7c0687bb2920b0.tar.gz android_hardware_nxp_nfc-4e4e0923eb1841698ad539403b7c0687bb2920b0.tar.bz2 android_hardware_nxp_nfc-4e4e0923eb1841698ad539403b7c0687bb2920b0.zip