OOBR in phNxpNciHal_send_ese_hal_cmd() Out of Bounds Read in phNxpNciHal_send_ese_hal_cmd Function in phNxpNciHal_ext.cc in nfc_nci_nxp Bug: 238083126 Test: build ok Change-Id: Ie3083ce9b7096991a3815e4bf2a4bc9250d49377

commit: 567c0496a8e80e96c15c02cb8f063e65008943cd [log] [tgz]
author: Alisher Alikhodjaev <alisher@google.com> Tue Sep 20 18:22:04 2022 -0700
committer: Alisher Alikhodjaev <alisher@google.com> Tue Sep 20 18:22:04 2022 -0700
tree: 7114c177c7c9271885943f01c3b92132178af7ba
parent: 2501cb0975c0f684e3e7e9aefb37b1120b78e85c [diff]
diff --git a/pn8x/halimpl/hal/phNxpNciHal.cc b/pn8x/halimpl/hal/phNxpNciHal.cc
index bff811c..aa63ce5 100644
--- a/pn8x/halimpl/hal/phNxpNciHal.cc
+++ b/pn8x/halimpl/hal/phNxpNciHal.cc

@@ -2600,6 +2600,10 @@
   }
   switch (arg) {
     case HAL_NFC_IOCTL_SPI_DWP_SYNC: {
+      if (pInpOutData->inp.data.nciCmd.cmd_len > MAX_IOCTL_TRANSCEIVE_CMD_LEN) {
+        android_errorWriteLog(0x534e4554, "238083126");
+        return -1;
+      }
       ret = phNxpNciHal_send_ese_hal_cmd(pInpOutData->inp.data.nciCmd.cmd_len,
                                          pInpOutData->inp.data.nciCmd.p_cmd);
       pInpOutData->out.data.nciRsp.rsp_len = nxpncihal_ctrl.rx_ese_data_len;
commit	567c0496a8e80e96c15c02cb8f063e65008943cd	[log] [tgz]
author	Alisher Alikhodjaev <alisher@google.com>	Tue Sep 20 18:22:04 2022 -0700
committer	Alisher Alikhodjaev <alisher@google.com>	Tue Sep 20 18:22:04 2022 -0700
tree	7114c177c7c9271885943f01c3b92132178af7ba
parent	2501cb0975c0f684e3e7e9aefb37b1120b78e85c [diff]