diff options
| author | Tiger Yu <tfyu@codeaurora.org> | 2018-01-25 17:53:52 +0800 |
|---|---|---|
| committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2018-02-13 01:24:24 -0800 |
| commit | cd25c87a9cc2be37b8b3b5368778ecffd13f8c5a (patch) | |
| tree | b3f4c97aec8d1271596c4c745c60fb5fb93c3b95 | |
| parent | ac0ebb2209b64efdb37e127db4250c897a8163de (diff) | |
qcacld-2.0: Fix potential buffer overflow htt_t2h_msg_handler
Currently variable "tid" is from message, which is used
directly as array size which causes buffer over-write.
To address this issue add check for the array size.
Change-Id: I9fae424d19ce5e886d385071863cbfca9633dd84
CRs-Fixed: 2178818
| -rw-r--r-- | CORE/CLD_TXRX/TXRX/ol_rx_defrag.c | 8 | ||||
| -rw-r--r-- | CORE/CLD_TXRX/TXRX/ol_rx_reorder.c | 9 |
2 files changed, 15 insertions, 2 deletions
diff --git a/CORE/CLD_TXRX/TXRX/ol_rx_defrag.c b/CORE/CLD_TXRX/TXRX/ol_rx_defrag.c index a51eb75b79ed..29fc139bde24 100644 --- a/CORE/CLD_TXRX/TXRX/ol_rx_defrag.c +++ b/CORE/CLD_TXRX/TXRX/ol_rx_defrag.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2011-2014, 2016-2017 The Linux Foundation. All rights reserved. + * Copyright (c) 2011-2014, 2016-2018 The Linux Foundation. All rights reserved. * * Previously licensed under the ISC license by Qualcomm Atheros, Inc. * @@ -490,6 +490,12 @@ ol_rx_defrag_waitlist_flush( } tid = rx_reorder->tid; + if (tid >= OL_TXRX_NUM_EXT_TIDS) { + TXRX_PRINT(TXRX_PRINT_LEVEL_ERR, + "%s: invalid tid, %u\n", __func__, tid); + WARN_ON(1); + continue; + } /* get index 0 of the rx_reorder array */ rx_reorder_base = rx_reorder - tid; peer = container_of(rx_reorder_base, struct ol_txrx_peer_t, tids_rx_reorder[0]); diff --git a/CORE/CLD_TXRX/TXRX/ol_rx_reorder.c b/CORE/CLD_TXRX/TXRX/ol_rx_reorder.c index c7bffde0e460..bc3dc5884d0d 100644 --- a/CORE/CLD_TXRX/TXRX/ol_rx_reorder.c +++ b/CORE/CLD_TXRX/TXRX/ol_rx_reorder.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2011-2017 The Linux Foundation. All rights reserved. + * Copyright (c) 2011-2018 The Linux Foundation. All rights reserved. * * Previously licensed under the ISC license by Qualcomm Atheros, Inc. * @@ -556,6 +556,13 @@ ol_rx_addba_handler( struct ol_txrx_peer_t *peer; struct ol_rx_reorder_t *rx_reorder; + if (tid >= OL_TXRX_NUM_EXT_TIDS) { + TXRX_PRINT(TXRX_PRINT_LEVEL_ERR, + "%s: invalid tid, %u\n", __func__, tid); + WARN_ON(1); + return; + } + peer = ol_txrx_peer_find_by_id(pdev, peer_id); if (peer == NULL) { return; |