qcacld: Sanitize the session ID before flow control register/deregister

Currently, there is no validation for session ID before register and
de-register of flow control. So, during this, out of bound session IDs
may get accessed. This fix ensures that session ID is sanitized before
getting accessed

Change-Id: I26ceb8729e6f0bf3ece545b03ccb535bed4ae286
CRs-Fixed: 664586

1 files changed, 10 insertions, 0 deletions

diff --git a/CORE/CLD_TXRX/TLSHIM/tl_shim.c b/CORE/CLD_TXRX/TLSHIM/tl_shim.c
index 5ed6c272ba52..dc5df3c9e3dd 100644
--- a/CORE/CLD_TXRX/TLSHIM/tl_shim.c
+++ b/CORE/CLD_TXRX/TLSHIM/tl_shim.c
@@ -2023,6 +2023,11 @@ void WLANTL_RegisterTXFlowControl
 		return;
 	}
 
+	if (sessionId >= wdi_out_cfg_max_vdevs(((pVosContextType)vos_ctx)->cfg_ctx)) {
+		TLSHIM_LOGE("%s : Invalid session id", __func__);
+		return;
+	}
+
 	adf_os_spin_lock(&tl_shim->session_flow_control[sessionId].fc_lock);
 	tl_shim->session_flow_control[sessionId].flowControl = flowControl;
 	tl_shim->session_flow_control[sessionId].sessionId = sessionId;
@@ -2065,6 +2070,11 @@ void WLANTL_DeRegisterTXFlowControl
 		return;
 	}
 
+        if (sessionId >= wdi_out_cfg_max_vdevs(((pVosContextType)vos_ctx)->cfg_ctx)) {
+                TLSHIM_LOGE("%s : Invalid session id", __func__);
+                return;
+        }
+
 	adf_os_spin_lock(&tl_shim->session_flow_control[sessionId].fc_lock);
 	tl_shim->session_flow_control[sessionId].flowControl = NULL;
 	tl_shim->session_flow_control[sessionId].sessionId = 0xFF;