Merge "qcacld-2.0: Fix potential buffer overflow htt_t2h_msg_handler"

2 files changed, 15 insertions, 2 deletions

diff --git a/CORE/CLD_TXRX/TXRX/ol_rx_defrag.c b/CORE/CLD_TXRX/TXRX/ol_rx_defrag.c
index a51eb75b79ed..29fc139bde24 100644
--- a/CORE/CLD_TXRX/TXRX/ol_rx_defrag.c
+++ b/CORE/CLD_TXRX/TXRX/ol_rx_defrag.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2011-2014, 2016-2017 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2011-2014, 2016-2018 The Linux Foundation. All rights reserved.
  *
  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
  *
@@ -490,6 +490,12 @@ ol_rx_defrag_waitlist_flush(
         }
 
         tid = rx_reorder->tid;
+        if (tid >= OL_TXRX_NUM_EXT_TIDS) {
+            TXRX_PRINT(TXRX_PRINT_LEVEL_ERR,
+                    "%s:  invalid tid, %u\n", __func__, tid);
+            WARN_ON(1);
+            continue;
+        }
         /* get index 0 of the rx_reorder array */
         rx_reorder_base = rx_reorder - tid;
         peer = container_of(rx_reorder_base, struct ol_txrx_peer_t, tids_rx_reorder[0]);
diff --git a/CORE/CLD_TXRX/TXRX/ol_rx_reorder.c b/CORE/CLD_TXRX/TXRX/ol_rx_reorder.c
index 137549872bf5..0e9928a332b1 100644
--- a/CORE/CLD_TXRX/TXRX/ol_rx_reorder.c
+++ b/CORE/CLD_TXRX/TXRX/ol_rx_reorder.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2011-2017 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2011-2018 The Linux Foundation. All rights reserved.
  *
  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
  *
@@ -556,6 +556,13 @@ ol_rx_addba_handler(
     struct ol_txrx_peer_t *peer;
     struct ol_rx_reorder_t *rx_reorder;
 
+    if (tid >= OL_TXRX_NUM_EXT_TIDS) {
+        TXRX_PRINT(TXRX_PRINT_LEVEL_ERR,
+                "%s:  invalid tid, %u\n", __func__, tid);
+        WARN_ON(1);
+        return;
+    }
+
     peer = ol_txrx_peer_find_by_id(pdev, peer_id);
     if (peer == NULL) {
         return;