diff options
| author | Tiger Yu <tfyu@codeaurora.org> | 2017-12-01 10:13:56 +0800 |
|---|---|---|
| committer | snandini <snandini@codeaurora.org> | 2017-12-10 22:26:12 -0800 |
| commit | 1719b20ec34202f6319934cec2e1e3da385f93ff (patch) | |
| tree | 53459d68b46385106d201aa3a8716802dccb2767 | |
| parent | 5c4f3c4a5ac8b1fa61bbb06f0f51fce8328d9ca3 (diff) | |
qcacld-2.0: Fix potential buffer overflow in htt_t2h_lp_msg_handler
Check for the validity of peer_id when received the htt message of
HTT_T2H_MSG_TYPE_PEER_MAP or HTT_T2H_MSG_TYPE_PEER_UNMAP from firmware
to ensure the buffer overflow does not happen.
Change-Id: Ib3f92f4de0b406a78bf34d348c07cb3981277513
CRs-Fixed: 2147119
| -rw-r--r-- | CORE/CLD_TXRX/HTT/htt_t2h.c | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/CORE/CLD_TXRX/HTT/htt_t2h.c b/CORE/CLD_TXRX/HTT/htt_t2h.c index 6dedfb9d9b8b..315fdf79cff5 100644 --- a/CORE/CLD_TXRX/HTT/htt_t2h.c +++ b/CORE/CLD_TXRX/HTT/htt_t2h.c @@ -301,6 +301,14 @@ htt_t2h_lp_msg_handler(void *context, adf_nbuf_t htt_t2h_msg ) peer_mac_addr = htt_t2h_mac_addr_deswizzle( (u_int8_t *) (msg_word+1), &mac_addr_deswizzle_buf[0]); + if (peer_id > ol_cfg_max_peer_id(pdev->ctrl_pdev)) { + adf_os_print("%s: HTT_T2H_MSG_TYPE_PEER_MAP," + "invalid peer_id, %u\n", + __FUNCTION__, + peer_id); + break; + } + ol_rx_peer_map_handler( pdev->txrx_pdev, peer_id, vdev_id, peer_mac_addr, 1/*can tx*/); break; @@ -310,6 +318,14 @@ htt_t2h_lp_msg_handler(void *context, adf_nbuf_t htt_t2h_msg ) u_int16_t peer_id; peer_id = HTT_RX_PEER_UNMAP_PEER_ID_GET(*msg_word); + if (peer_id > ol_cfg_max_peer_id(pdev->ctrl_pdev)) { + adf_os_print("%s: HTT_T2H_MSG_TYPE_PEER_UNMAP," + "invalid peer_id, %u\n", + __FUNCTION__, + peer_id); + break; + } + ol_rx_peer_unmap_handler(pdev->txrx_pdev, peer_id); break; } |
