From 4e4e0923eb1841698ad539403b7c0687bb2920b0 Mon Sep 17 00:00:00 2001 From: George Chang Date: Thu, 20 Feb 2020 21:58:58 +0800 Subject: Prevent OOB write in phNxpNciHal_send_ese_hal_cmd Bug: 139736386 Test: manual Change-Id: Ibb9fa346038c3645eaf80bd814bf880d9a3c3e7f --- halimpl/hal/phNxpNciHal_ext.cc | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'halimpl/hal') diff --git a/halimpl/hal/phNxpNciHal_ext.cc b/halimpl/hal/phNxpNciHal_ext.cc index 7908141..1bbd25f 100755 --- a/halimpl/hal/phNxpNciHal_ext.cc +++ b/halimpl/hal/phNxpNciHal_ext.cc @@ -901,6 +901,10 @@ NFCSTATUS phNxpNciHal_send_ext_cmd(uint16_t cmd_len, uint8_t* p_cmd) { ******************************************************************************/ NFCSTATUS phNxpNciHal_send_ese_hal_cmd(uint16_t cmd_len, uint8_t* p_cmd) { NFCSTATUS status = NFCSTATUS_FAILED; + if (cmd_len > NCI_MAX_DATA_LEN) { + NXPLOG_NCIHAL_E("cmd_len exceeds limit NCI_MAX_DATA_LEN"); + return status; + } nxpncihal_ctrl.cmd_len = cmd_len; memcpy(nxpncihal_ctrl.p_cmd_data, p_cmd, cmd_len); status = phNxpNciHal_process_ext_cmd_rsp(nxpncihal_ctrl.cmd_len, -- cgit v1.2.3