usb: pd: Avoid buffer overrun during msg_rx

When copying the buffer to the rx_msg structure, ensure
that we do not copy more than the payload buffer size.
Guard the unknown len parameter within a min() check.

Change-Id: I55feff0dbee59b680a42878a38da8e9742332008
Signed-off-by: Jack Pham <jackp@codeaurora.org>

1 files changed, 1 insertions, 1 deletions

diff --git a/drivers/usb/pd/policy_engine.c b/drivers/usb/pd/policy_engine.c
index 611750e209f9..191a3f4b515a 100644
--- a/drivers/usb/pd/policy_engine.c
+++ b/drivers/usb/pd/policy_engine.c
@@ -660,7 +660,7 @@ static void phy_msg_received(struct usbpd *pd, enum pd_msg_type type,
 
 	rx_msg->type = PD_MSG_HDR_TYPE(header);
 	rx_msg->len = PD_MSG_HDR_COUNT(header);
-	memcpy(&rx_msg->payload, buf, len);
+	memcpy(&rx_msg->payload, buf, min(len, sizeof(rx_msg->payload)));
 
 	spin_lock_irqsave(&pd->rx_lock, flags);
 	list_add_tail(&rx_msg->entry, &pd->rx_q);