From 9ea2fecd6d3555e06e2f134f82822c00ed9298eb Mon Sep 17 00:00:00 2001
From: Peter van der Perk <peter.vanderperk@nxp.com>
Date: Fri, 17 May 2024 12:00:55 +0200
Subject: [PATCH] dronecan: SocketCAN driver check size before copying

Avoids memory corruption if we get packets to big
---
 .../uavcan_drivers/socketcan/driver/src/socketcan.cpp  | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/drivers/uavcan/uavcan_drivers/socketcan/driver/src/socketcan.cpp b/src/drivers/uavcan/uavcan_drivers/socketcan/driver/src/socketcan.cpp
index b3a8ce183625..8df5c21b5e12 100644
--- a/src/drivers/uavcan/uavcan_drivers/socketcan/driver/src/socketcan.cpp
+++ b/src/drivers/uavcan/uavcan_drivers/socketcan/driver/src/socketcan.cpp
@@ -218,12 +218,22 @@ uavcan::int16_t CanIface::receive(uavcan::CanFrame &out_frame, uavcan::Monotonic
 	if (_can_fd) {
 		struct canfd_frame *recv_frame = (struct canfd_frame *)&_recv_frame;
 		out_frame.id = recv_frame->can_id;
+
+		if (recv_frame->len > CANFD_MAX_DLEN) {
+			return -EFAULT;
+		}
+
 		out_frame.dlc = recv_frame->len;
 		memcpy(out_frame.data, &recv_frame->data, recv_frame->len);
 
 	} else {
 		struct can_frame *recv_frame = (struct can_frame *)&_recv_frame;
 		out_frame.id = recv_frame->can_id;
+
+		if (recv_frame->can_dlc > CAN_MAX_DLEN) {
+			return -EFAULT;
+		}
+
 		out_frame.dlc = recv_frame->can_dlc;
 		memcpy(out_frame.data, &recv_frame->data, recv_frame->can_dlc);
 	}