summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjitiphil <jitiphil@codeaurora.org>2018-04-05 23:32:57 +0530
committernshrivas <nshrivas@codeaurora.org>2018-04-26 08:53:06 -0700
commit9d68b0276e2c4470bf96830d72ff81956bfd63bb (patch)
treef928af59e38a7716668bcf11fbf4cab3f812e896
parenta9c702598a739a9735d303ace8f2c1dcd8abb51a (diff)
qcacld-3.0: Fix buffer overflow in htt_t2h_msg_handler_fast
Currently variable "num_mpdu_ranges" is from message, which is used directly without any validation which causes buffer over-write. To avoid buffer over-write add check for the valid num_mpdu_ranges Change-Id: I54e138d4bd63cbe7a0ae4faf0fe9d8e59ca92c71 CRs-Fixed: 2213655
-rw-r--r--core/dp/htt/htt_t2h.c31
1 files changed, 30 insertions, 1 deletions
diff --git a/core/dp/htt/htt_t2h.c b/core/dp/htt/htt_t2h.c
index f017192e93b1..77fa6413c1d1 100644
--- a/core/dp/htt/htt_t2h.c
+++ b/core/dp/htt/htt_t2h.c
@@ -994,8 +994,10 @@ void htt_t2h_msg_handler_fast(void *context, qdf_nbuf_t *cmpl_msdus,
{
unsigned int num_mpdu_ranges;
unsigned int num_msdu_bytes;
+ unsigned int calculated_msg_len;
u_int16_t peer_id;
u_int8_t tid;
+ msg_len = qdf_nbuf_len(htt_t2h_msg);
peer_id = HTT_RX_IND_PEER_ID_GET(*msg_word);
tid = HTT_RX_IND_EXT_TID_GET(*msg_word);
@@ -1005,7 +1007,6 @@ void htt_t2h_msg_handler_fast(void *context, qdf_nbuf_t *cmpl_msdus,
WARN_ON(1);
break;
}
-
num_msdu_bytes =
HTT_RX_IND_FW_RX_DESC_BYTES_GET(
*(msg_word + 2 +
@@ -1025,6 +1026,34 @@ void htt_t2h_msg_handler_fast(void *context, qdf_nbuf_t *cmpl_msdus,
HTT_RX_IND_NUM_MPDU_RANGES_GET(*(msg_word
+ 1));
pdev->rx_ind_msdu_byte_idx = 0;
+ if (qdf_unlikely(pdev->rx_mpdu_range_offset_words >
+ msg_len)) {
+ qdf_print("HTT_T2H_MSG_TYPE_RX_IND, invalid rx_mpdu_range_offset_words %d\n",
+ pdev->rx_mpdu_range_offset_words);
+ WARN_ON(1);
+ break;
+ }
+ calculated_msg_len = pdev->rx_mpdu_range_offset_words +
+ (num_mpdu_ranges *
+ (int)sizeof(uint32_t));
+ /*
+ * Check that the addition and multiplication
+ * do not cause integer overflow
+ */
+ if (qdf_unlikely(calculated_msg_len <
+ pdev->rx_mpdu_range_offset_words)) {
+ qdf_print("HTT_T2H_MSG_TYPE_RX_IND, invalid mpdu_ranges %u\n",
+ (num_mpdu_ranges *
+ (int)sizeof(uint32_t)));
+ WARN_ON(1);
+ break;
+ }
+ if (qdf_unlikely(calculated_msg_len > msg_len)) {
+ qdf_print("HTT_T2H_MSG_TYPE_RX_IND, invalid offset_words + mpdu_ranges %u\n",
+ calculated_msg_len);
+ WARN_ON(1);
+ break;
+ }
ol_rx_indication_handler(pdev->txrx_pdev, htt_t2h_msg,
peer_id, tid, num_mpdu_ranges);
break;