diff --git a/wlan/BUILD.gn b/wlan/BUILD.gn
index 569c6d3b91eefdc1f9858a05e4bb052c441b323c..2f54149148d336d3351cda97f05dbea819ecd2d6 100644
--- a/wlan/BUILD.gn
+++ b/wlan/BUILD.gn
@@ -19,4 +19,4 @@ group("wlan_entry") {
   if (!defined(ohos_lite)) {
     deps += [ "hdi_service:hdi_wlan_service" ]
   }
-}
+}
\ No newline at end of file
diff --git a/wlan/client/src/netlink/netlink_cmd_adapter.c b/wlan/client/src/netlink/netlink_cmd_adapter.c
index ef7f55237fa3c833f9f38ff2442b6e9d2f6c1c6e..e5952f43a00b07e423d4a0594bc7a9ff1a82e46f 100644
--- a/wlan/client/src/netlink/netlink_cmd_adapter.c
+++ b/wlan/client/src/netlink/netlink_cmd_adapter.c
@@ -131,6 +131,8 @@ static inline uint32_t BIT(uint8_t x)
 #define SOL_NETLINK 270
 #define RECV_MAX_COUNT 100
 #define NETLINK_BUFF_LENGTH 262144
+#define MAX_SCAN_FREQS 255
+#define MAX_PNO_NETWORKS 500
 
 // vendor attr
 enum AndrWifiAttr {
@@ -1651,6 +1653,10 @@ static int32_t CmdScanPutFreqsMsg(struct nl_msg *msg, const WifiScan *scan)
             HILOG_ERROR(LOG_CORE, "%s: nla_nest_start failed", __FUNCTION__);
             return RET_CODE_FAILURE;
         }
+        if (scan->numFreqs > MAX_SCAN_FREQS) {
+            HILOG_ERROR(LOG_CORE, "%s: invalid numFreqs", __FUNCTION__);
+            return RET_CODE_FAILURE;
+        }
         for (i = 0; i < scan->numFreqs; i++) {
             nla_put_u32(msg, i + 1, scan->freqs[i]);
         }
@@ -2656,6 +2662,10 @@ static int32_t ProcessMatchSsidToMsg(struct nl_msg *msg, const WiphyInfo *wiphyI
         HILOG_ERROR(LOG_CORE, "%s: nla_nest_start failed.", __FUNCTION__);
         return RET_CODE_FAILURE;
     }
+    if (pnoSettings->pnoNetworksLen > MAX_PNO_NETWORKS) {
+        HILOG_ERROR(LOG_CORE, "%s: invalid pnoSettings->pnoNetworksLen", __FUNCTION__);
+        return RET_CODE_FAILURE;
+    }
     for (uint32_t i = 0; i < pnoSettings->pnoNetworksLen; i++) {
         if (matchSsidsCount + 1 > wiphyInfo->scanCapabilities.maxMatchSets) {
             break;
@@ -2732,6 +2742,10 @@ static int32_t ProcessSsidToMsg(struct nl_msg *msg, const WiphyInfo *wiphyInfo,
     struct DListHead scanSsids = {0};
 
     DListHeadInit(&scanSsids);
+    if (pnoSettings->pnoNetworksLen > MAX_PNO_NETWORKS) {
+        HILOG_ERROR(LOG_CORE, "%s: invalid pnoSettings->pnoNetworksLen", __FUNCTION__);
+        return RET_CODE_FAILURE;
+    }
     for (uint32_t i = 0; i < pnoSettings->pnoNetworksLen; i++) {
         if (!(pnoSettings->pnoNetworks[i].isHidden)) {
             continue;
@@ -2840,6 +2854,12 @@ static int32_t ProcessFreqToMsg(struct nl_msg *msg, const WifiPnoSettings *pnoSe
     uint32_t index = 0;
 
     DListHeadInit(&scanFreqs);
+    size_t networks_size = sizeof(pnoSettings->pnoNetworks);
+    if (pnoSettings->pnoNetworksLen <= networks_size) {
+        HILOG_ERROR(LOG_CORE, "%s: pnoSettings->pnoNetworksLen failed.", __FUNCTION__);
+        ClearFreqsList(&scanFreqs);
+        return RET_CODE_FAILURE;
+    }
     for (uint32_t i = 0; i < pnoSettings->pnoNetworksLen; i++) {
         for (uint32_t j = 0; j < pnoSettings->pnoNetworks[i].freqsLen; j++) {
             if (InsertFreqToList(pnoSettings->pnoNetworks[i].freqs[j], &scanFreqs) != RET_CODE_SUCCESS) {