Multiple vulnerabilities in phNxpNciHal_print_res_status

Bug: 169258884 Bug: 169258733 Bug: 169257710 Test: build ok Change-Id: Icccbe6c781847d5495cc09e9fd72bd5a39011e73
author: Alisher Alikhodjaev <alisher@google.com> 2020-10-20 18:56:50 -0700
committer: alk3pInjection <webmaster@raspii.tech> 2022-03-05 01:55:03 +0800
commit: eb2b544996468c3e3cdb63e68e0e9efe84dc4cca (patch)
tree: 789bede8ee993527b746d41cd2c59d59c5762720
parent: 3f241426aaa0b3d21fbca568c8702d5505616df1 (diff)
1 files changed, 14 insertions, 4 deletions
diff --git a/halimpl/hal/phNxpNciHal.cc b/halimpl/hal/phNxpNciHal.cc
index 0284845..d1c52d8 100644
--- a/halimpl/hal/phNxpNciHal.cc
+++ b/halimpl/hal/phNxpNciHal.cc
@@ -4453,15 +4453,25 @@ static void phNxpNciHal_print_res_status(uint8_t* p_rx_data, uint16_t* p_len) {
       NXPLOG_NCIHAL_D("%s: response status =%s", __func__, response_buf[11]);
     }
     if (phNxpNciClock.isClockSet) {
-      int i;
-      for (i = 0; i < *p_len; i++) {
+      int i, len = sizeof(phNxpNciClock.p_rx_data);
+      if (*p_len > len) {
+        android_errorWriteLog(0x534e4554, "169257710");
+      } else {
+        len = *p_len;
+      }
+      for (i = 0; i < len; i++) {
         phNxpNciClock.p_rx_data[i] = p_rx_data[i];
       }
     }
 
     if (phNxpNciRfSet.isGetRfSetting) {
-      int i;
-      for (i = 0; i < *p_len; i++) {
+      int i, len = sizeof(phNxpNciRfSet.p_rx_data);
+      if (*p_len > len) {
+        android_errorWriteLog(0x534e4554, "169258733");
+      } else {
+        len = *p_len;
+      }
+      for (i = 0; i < len; i++) {
         phNxpNciRfSet.p_rx_data[i] = p_rx_data[i];
         // NXPLOG_NCIHAL_D("%s: response status =0x%x",__func__,p_rx_data[i]);
       }
author	Alisher Alikhodjaev <alisher@google.com>	2020-10-20 18:56:50 -0700
committer	alk3pInjection <webmaster@raspii.tech>	2022-03-05 01:55:03 +0800
commit	eb2b544996468c3e3cdb63e68e0e9efe84dc4cca (patch)
tree	789bede8ee993527b746d41cd2c59d59c5762720
parent	3f241426aaa0b3d21fbca568c8702d5505616df1 (diff)