qcacld-2.0: Fix potential buffer over-read in the htt_t2h_lp_msg_handler

Check for the validity of peer_cnt when received the htt message of HTT_T2H_MSG_TYPE_RATE_REPORT from firmware to ensure the buffer over-read does not happen. Change-Id: I16c811d20127fe921ef5d1b5a7750629ad38b26b CRs-Fixed: 2159422
author: Tiger Yu <tfyu@codeaurora.org> 2017-12-25 15:24:06 +0800
committer: snandini <snandini@codeaurora.org> 2018-01-03 14:51:15 -0800
commit: ccfd151c4e0b45af73d3c1cfdb0ddd66eed4fa66 (patch)
tree: 2f3ab8128ac1ebc46ba349e737782e74e731822b
parent: 07367945fae90a569d9d1a25daa5c8b085e7779b (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/CORE/CLD_TXRX/HTT/htt_t2h.c b/CORE/CLD_TXRX/HTT/htt_t2h.c
index 7f2b7290a6bf..0653d3797b62 100644
--- a/CORE/CLD_TXRX/HTT/htt_t2h.c
+++ b/CORE/CLD_TXRX/HTT/htt_t2h.c
@@ -535,6 +535,7 @@ htt_t2h_lp_msg_handler(void *context, adf_nbuf_t htt_t2h_msg )
             u_int16_t peer_cnt = HTT_PEER_RATE_REPORT_MSG_PEER_COUNT_GET(*msg_word);
             u_int16_t i;
             struct rate_report_t *report, *each;
+            int max_peers;
 
             /* Param sanity check */
             if (peer_cnt == 0) {
@@ -542,6 +543,13 @@ htt_t2h_lp_msg_handler(void *context, adf_nbuf_t htt_t2h_msg )
                 break;
             }
 
+            max_peers = ol_cfg_max_peer_id(pdev->ctrl_pdev) + 1;
+            if (peer_cnt > max_peers) {
+                adf_os_print("RATE REPORT msg peer_cnt is larger than %d\n",
+                    max_peers);
+                break;
+            }
+
             /* At least one peer and no limit apply to peer_cnt here */
             report = adf_os_mem_alloc(NULL,
                 sizeof(struct rate_report_t) * peer_cnt);
author	Tiger Yu <tfyu@codeaurora.org>	2017-12-25 15:24:06 +0800
committer	snandini <snandini@codeaurora.org>	2018-01-03 14:51:15 -0800
commit	ccfd151c4e0b45af73d3c1cfdb0ddd66eed4fa66 (patch)
tree	2f3ab8128ac1ebc46ba349e737782e74e731822b
parent	07367945fae90a569d9d1a25daa5c8b085e7779b (diff)