qcacmn: Check mbox_index as index and check pointer

It is a static analyze check issue, hif_dev_map_pipe_to_mail_box may
return 255 and assign to mbox_index, which will cause buffer overflow.
Another issue is missing NULL check after allocate memory in function
hif_dev_send_buffer.

Fix it by checking NULL/invalid return pointer/index value.

Change-Id: If7b954343847097b7b5b601c684fe6b51d90daa4
CRs-Fixed: 2058300

1 files changed, 14 insertions, 1 deletions

diff --git a/hif/src/sdio/hif_sdio_send.c b/hif/src/sdio/hif_sdio_send.c
index d3e2dc669710..f84053d9187c 100644
--- a/hif/src/sdio/hif_sdio_send.c
+++ b/hif/src/sdio/hif_sdio_send.c
@@ -109,6 +109,11 @@ QDF_STATUS hif_dev_send_buffer(struct hif_sdio_device *pdev,
 	uint32_t request = HIF_WR_ASYNC_BLOCK_INC;
 	uint8_t mbox_index = hif_dev_map_pipe_to_mail_box(pdev, pipe);
 
+	if (mbox_index == INVALID_MAILBOX_NUMBER) {
+		AR_DEBUG_PRINTF(ATH_DEBUG_ERR, ("pipe id(%d) invalid\n", pipe));
+		return QDF_STATUS_E_FAILURE;
+	}
+
 	padded_length = DEV_CALC_SEND_PADDED_LEN(pdev, nbytes);
 	A_ASSERT(padded_length - nbytes < HIF_DUMMY_SPACE_MASK + 1);
 	/*
@@ -145,7 +150,15 @@ QDF_STATUS hif_dev_send_buffer(struct hif_sdio_device *pdev,
 			(struct hif_sendContext *)
 			qdf_mem_malloc(sizeof(struct hif_sendContext) +
 				       padded_length);
-		send_context->bNewAlloc = true;
+		if (send_context) {
+			send_context->bNewAlloc = true;
+		} else {
+			AR_DEBUG_PRINTF(ATH_DEBUG_ERR,
+				("Allocate send context fail %d\n",
+				sizeof(struct hif_sendContext) +
+				padded_length));
+			return QDF_STATUS_E_NOMEM;
+		}
 	}
 
 	send_context->netbuf = buf;