From 084064bdf1681d7ffa34cbaa645e6bcaebd00659 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sergi=20=C3=80lvarez=20i=20Capilla?= <pancake@nowsecure.com>
Date: Sun, 9 Jan 2022 21:41:25 +0100
Subject: [PATCH] Fix oobread transfering large packets via qnxr

---
 shlr/qnx/src/core.c   | 1 -
 shlr/qnx/src/packet.c | 6 +++++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/shlr/qnx/src/core.c b/shlr/qnx/src/core.c
index 94c5007e79..5b5b08b247 100644
--- a/shlr/qnx/src/core.c
+++ b/shlr/qnx/src/core.c
@@ -151,7 +151,6 @@ int qnxr_connect(libqnxr_t *g, const char *host, int port) {
 	g->connected = 0;
 	g->mid = 0;
 
-
 	memmove (g->host, host, strlen (host) + 1);
 	g->port = port;
 
diff --git a/shlr/qnx/src/packet.c b/shlr/qnx/src/packet.c
index b68a3754cc..f4e8437aa2 100644
--- a/shlr/qnx/src/packet.c
+++ b/shlr/qnx/src/packet.c
@@ -1,4 +1,4 @@
-/* libqnxr - GPL - Copyright 2014-2016 - defragger, madprogrammer */
+/* libqnxr - GPL - Copyright 2014-2022 - pancake, defragger, madprogrammer */
 
 #include <errno.h>
 #include "packet.h"
@@ -155,6 +155,10 @@ int qnxr_send_packet (libqnxr_t *g) {
 	p = g->send_buff;
 	*p++ = FRAME_CHAR;
 
+	if (g->send_len >= sizeof (g->tran.data)) {
+		eprintf ("Too large packet %d vs %d\n", (int)g->send_len, (int)sizeof (g->send_len));
+		return false;
+	}
 	for (i = 0; i < g->send_len; i++) {
 		ut8 c = g->tran.data[i];
 		csum += c;