summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTiger Yu <tfyu@codeaurora.org>2017-12-01 10:13:56 +0800
committersnandini <snandini@codeaurora.org>2017-12-10 22:26:12 -0800
commit1719b20ec34202f6319934cec2e1e3da385f93ff (patch)
tree53459d68b46385106d201aa3a8716802dccb2767
parent5c4f3c4a5ac8b1fa61bbb06f0f51fce8328d9ca3 (diff)
qcacld-2.0: Fix potential buffer overflow in htt_t2h_lp_msg_handler
Check for the validity of peer_id when received the htt message of HTT_T2H_MSG_TYPE_PEER_MAP or HTT_T2H_MSG_TYPE_PEER_UNMAP from firmware to ensure the buffer overflow does not happen. Change-Id: Ib3f92f4de0b406a78bf34d348c07cb3981277513 CRs-Fixed: 2147119
-rw-r--r--CORE/CLD_TXRX/HTT/htt_t2h.c16
1 files changed, 16 insertions, 0 deletions
diff --git a/CORE/CLD_TXRX/HTT/htt_t2h.c b/CORE/CLD_TXRX/HTT/htt_t2h.c
index 6dedfb9d9b8b..315fdf79cff5 100644
--- a/CORE/CLD_TXRX/HTT/htt_t2h.c
+++ b/CORE/CLD_TXRX/HTT/htt_t2h.c
@@ -301,6 +301,14 @@ htt_t2h_lp_msg_handler(void *context, adf_nbuf_t htt_t2h_msg )
peer_mac_addr = htt_t2h_mac_addr_deswizzle(
(u_int8_t *) (msg_word+1), &mac_addr_deswizzle_buf[0]);
+ if (peer_id > ol_cfg_max_peer_id(pdev->ctrl_pdev)) {
+ adf_os_print("%s: HTT_T2H_MSG_TYPE_PEER_MAP,"
+ "invalid peer_id, %u\n",
+ __FUNCTION__,
+ peer_id);
+ break;
+ }
+
ol_rx_peer_map_handler(
pdev->txrx_pdev, peer_id, vdev_id, peer_mac_addr, 1/*can tx*/);
break;
@@ -310,6 +318,14 @@ htt_t2h_lp_msg_handler(void *context, adf_nbuf_t htt_t2h_msg )
u_int16_t peer_id;
peer_id = HTT_RX_PEER_UNMAP_PEER_ID_GET(*msg_word);
+ if (peer_id > ol_cfg_max_peer_id(pdev->ctrl_pdev)) {
+ adf_os_print("%s: HTT_T2H_MSG_TYPE_PEER_UNMAP,"
+ "invalid peer_id, %u\n",
+ __FUNCTION__,
+ peer_id);
+ break;
+ }
+
ol_rx_peer_unmap_handler(pdev->txrx_pdev, peer_id);
break;
}