Prevent OOB write in phNxpNciHal_send_ese_hal_cmd
Bug: 139736386
Test: manual
Change-Id: Ibb9fa346038c3645eaf80bd814bf880d9a3c3e7f
diff --git a/halimpl/hal/phNxpNciHal_ext.cc b/halimpl/hal/phNxpNciHal_ext.cc
index 7908141..1bbd25f 100755
--- a/halimpl/hal/phNxpNciHal_ext.cc
+++ b/halimpl/hal/phNxpNciHal_ext.cc
@@ -901,6 +901,10 @@
******************************************************************************/
NFCSTATUS phNxpNciHal_send_ese_hal_cmd(uint16_t cmd_len, uint8_t* p_cmd) {
NFCSTATUS status = NFCSTATUS_FAILED;
+ if (cmd_len > NCI_MAX_DATA_LEN) {
+ NXPLOG_NCIHAL_E("cmd_len exceeds limit NCI_MAX_DATA_LEN");
+ return status;
+ }
nxpncihal_ctrl.cmd_len = cmd_len;
memcpy(nxpncihal_ctrl.p_cmd_data, p_cmd, cmd_len);
status = phNxpNciHal_process_ext_cmd_rsp(nxpncihal_ctrl.cmd_len,