From 2d5af5e2112c58a144dad62699e1933ffdcbfa27 Mon Sep 17 00:00:00 2001
From: Peter van der Perk <peter.vanderperk@nxp.com>
Date: Fri, 17 May 2024 12:00:55 +0200
Subject: [PATCH] dronecan: SocketCAN driver check size before copying

Avoids memory corruption if we get packets to big
---
 .../uavcan_drivers/socketcan/driver/src/socketcan.cpp       | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/drivers/uavcan/uavcan_drivers/socketcan/driver/src/socketcan.cpp b/src/drivers/uavcan/uavcan_drivers/socketcan/driver/src/socketcan.cpp
index b3a8ce183625..bba209113748 100644
--- a/src/drivers/uavcan/uavcan_drivers/socketcan/driver/src/socketcan.cpp
+++ b/src/drivers/uavcan/uavcan_drivers/socketcan/driver/src/socketcan.cpp
@@ -218,12 +218,18 @@ uavcan::int16_t CanIface::receive(uavcan::CanFrame &out_frame, uavcan::Monotonic
 	if (_can_fd) {
 		struct canfd_frame *recv_frame = (struct canfd_frame *)&_recv_frame;
 		out_frame.id = recv_frame->can_id;
+		if(recv_frame->len > CANFD_MAX_DLEN) {
+			return -EFAULT;
+		}
 		out_frame.dlc = recv_frame->len;
 		memcpy(out_frame.data, &recv_frame->data, recv_frame->len);
 
 	} else {
 		struct can_frame *recv_frame = (struct can_frame *)&_recv_frame;
 		out_frame.id = recv_frame->can_id;
+		if(recv_frame->can_dlc > CAN_MAX_DLEN) {
+			return -EFAULT;
+		}
 		out_frame.dlc = recv_frame->can_dlc;
 		memcpy(out_frame.data, &recv_frame->data, recv_frame->can_dlc);
 	}