Prevent OOB write in phNxpNciHal_send_ese_hal_cmd Bug: 139736386 Test: manual Change-Id: Ibb9fa346038c3645eaf80bd814bf880d9a3c3e7f

commit: 4e4e0923eb1841698ad539403b7c0687bb2920b0 [log] [tgz]
author: George Chang <georgekgchang@google.com> Thu Feb 20 21:58:58 2020 +0800
committer: George Chang <georgekgchang@google.com> Fri Feb 21 06:01:02 2020 +0000
tree: 60c05d0bc3a9fc9be7c3b83a3356c02fd1a4dd2e
parent: f384f95bfe983c90d6d549388bbc903ac8f50c3b [diff]
diff --git a/halimpl/hal/phNxpNciHal_ext.cc b/halimpl/hal/phNxpNciHal_ext.cc
index 7908141..1bbd25f 100755
--- a/halimpl/hal/phNxpNciHal_ext.cc
+++ b/halimpl/hal/phNxpNciHal_ext.cc

@@ -901,6 +901,10 @@
  ******************************************************************************/
 NFCSTATUS phNxpNciHal_send_ese_hal_cmd(uint16_t cmd_len, uint8_t* p_cmd) {
   NFCSTATUS status = NFCSTATUS_FAILED;
+  if (cmd_len > NCI_MAX_DATA_LEN) {
+    NXPLOG_NCIHAL_E("cmd_len exceeds limit NCI_MAX_DATA_LEN");
+    return status;
+  }
   nxpncihal_ctrl.cmd_len = cmd_len;
   memcpy(nxpncihal_ctrl.p_cmd_data, p_cmd, cmd_len);
   status = phNxpNciHal_process_ext_cmd_rsp(nxpncihal_ctrl.cmd_len,
commit	4e4e0923eb1841698ad539403b7c0687bb2920b0	[log] [tgz]
author	George Chang <georgekgchang@google.com>	Thu Feb 20 21:58:58 2020 +0800
committer	George Chang <georgekgchang@google.com>	Fri Feb 21 06:01:02 2020 +0000
tree	60c05d0bc3a9fc9be7c3b83a3356c02fd1a4dd2e
parent	f384f95bfe983c90d6d549388bbc903ac8f50c3b [diff]