diff options
| -rw-r--r-- | CORE/CLD_TXRX/HTT/htt_t2h.c | 14 | ||||
| -rw-r--r-- | CORE/CLD_TXRX/TXRX/ol_txrx_types.h | 5 | ||||
| -rw-r--r-- | CORE/UTILS/PKTLOG/pktlog_internal.c | 29 |
3 files changed, 43 insertions, 5 deletions
diff --git a/CORE/CLD_TXRX/HTT/htt_t2h.c b/CORE/CLD_TXRX/HTT/htt_t2h.c index 78c7c4e722b5..6b04135c80eb 100644 --- a/CORE/CLD_TXRX/HTT/htt_t2h.c +++ b/CORE/CLD_TXRX/HTT/htt_t2h.c @@ -392,7 +392,13 @@ htt_t2h_lp_msg_handler(void *context, adf_nbuf_t htt_t2h_msg ) { u_int32_t *pl_hdr; u_int32_t log_type; + uint32_t len = adf_nbuf_len(htt_t2h_msg); + struct ol_fw_data pl_fw_data; + pl_hdr = (msg_word + 1); + pl_fw_data.data = pl_hdr; + pl_fw_data.len = len - sizeof(*msg_word); + log_type = (*(pl_hdr + 1) & ATH_PKTLOG_HDR_LOG_TYPE_MASK) >> ATH_PKTLOG_HDR_LOG_TYPE_SHIFT; if (log_type == PKTLOG_TYPE_TX_CTRL || @@ -400,14 +406,14 @@ htt_t2h_lp_msg_handler(void *context, adf_nbuf_t htt_t2h_msg ) (log_type) == PKTLOG_TYPE_TX_MSDU_ID || (log_type) == PKTLOG_TYPE_TX_FRM_HDR || (log_type) == PKTLOG_TYPE_TX_VIRT_ADDR) { - wdi_event_handler(WDI_EVENT_TX_STATUS, pdev->txrx_pdev, pl_hdr); + wdi_event_handler(WDI_EVENT_TX_STATUS, pdev->txrx_pdev, &pl_fw_data); } else if ((log_type) == PKTLOG_TYPE_RC_FIND) { - wdi_event_handler(WDI_EVENT_RATE_FIND, pdev->txrx_pdev, pl_hdr); + wdi_event_handler(WDI_EVENT_RATE_FIND, pdev->txrx_pdev, &pl_fw_data); } else if ((log_type) == PKTLOG_TYPE_RC_UPDATE) { wdi_event_handler( - WDI_EVENT_RATE_UPDATE, pdev->txrx_pdev, pl_hdr); + WDI_EVENT_RATE_UPDATE, pdev->txrx_pdev, &pl_fw_data); } else if ((log_type) == PKTLOG_TYPE_RX_STAT) { - wdi_event_handler(WDI_EVENT_RX_DESC, pdev->txrx_pdev, pl_hdr); + wdi_event_handler(WDI_EVENT_RX_DESC, pdev->txrx_pdev, &pl_fw_data); } break; } diff --git a/CORE/CLD_TXRX/TXRX/ol_txrx_types.h b/CORE/CLD_TXRX/TXRX/ol_txrx_types.h index cb3404d42032..75221dad098b 100644 --- a/CORE/CLD_TXRX/TXRX/ol_txrx_types.h +++ b/CORE/CLD_TXRX/TXRX/ol_txrx_types.h @@ -1237,4 +1237,9 @@ struct ol_txrx_peer_t { struct ol_rx_reorder_history * reorder_history; }; +struct ol_fw_data { + void *data; + uint32_t len; +}; + #endif /* _OL_TXRX_TYPES__H_ */ diff --git a/CORE/UTILS/PKTLOG/pktlog_internal.c b/CORE/UTILS/PKTLOG/pktlog_internal.c index ec27459b4059..689204978da6 100644 --- a/CORE/UTILS/PKTLOG/pktlog_internal.c +++ b/CORE/UTILS/PKTLOG/pktlog_internal.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2013-2017 The Linux Foundation. All rights reserved. + * Copyright (c) 2013-2018 The Linux Foundation. All rights reserved. * * Previously licensed under the ISC license by Qualcomm Atheros, Inc. * @@ -229,6 +229,8 @@ process_tx_info(struct ol_txrx_pdev_t *txrx_pdev, struct ath_pktlog_hdr pl_hdr; struct ath_pktlog_info *pl_info; uint32_t *pl_tgt_hdr; + struct ol_fw_data *fw_data; + uint32_t len; if (!txrx_pdev) { printk("Invalid pdev in %s\n", __func__); @@ -236,8 +238,28 @@ process_tx_info(struct ol_txrx_pdev_t *txrx_pdev, } adf_os_assert(txrx_pdev->pl_dev); adf_os_assert(data); + + fw_data = (struct ol_fw_data *)data; + len = fw_data->len; + if (len < (sizeof(uint32_t) * + (ATH_PKTLOG_HDR_FLAGS_OFFSET + 1)) || + len < (sizeof(uint32_t) * + (ATH_PKTLOG_HDR_MISSED_CNT_OFFSET + 1)) || + len < (sizeof(uint32_t) * + (ATH_PKTLOG_HDR_LOG_TYPE_OFFSET + 1)) || + len < (sizeof(uint32_t) * + (ATH_PKTLOG_HDR_SIZE_OFFSET + 1)) || + len < (sizeof(uint32_t) * + (ATH_PKTLOG_HDR_TIMESTAMP_OFFSET + 1))) { + adf_os_print("Invalid msdu len in %s\n", __func__); + adf_os_assert(0); + return A_ERROR; + } + pl_dev = txrx_pdev->pl_dev; + data = fw_data->data; + pl_tgt_hdr = (uint32_t *)data; /* * Makes the short words (16 bits) portable b/w little endian @@ -259,6 +281,11 @@ process_tx_info(struct ol_txrx_pdev_t *txrx_pdev, pl_info = pl_dev->pl_info; + if (sizeof(struct ath_pktlog_hdr) + pl_hdr.size > len) { + adf_os_assert(0); + return A_ERROR; + } + if (pl_hdr.log_type == PKTLOG_TYPE_TX_FRM_HDR) { /* Valid only for the TX CTL */ process_ieee_hdr(data + sizeof(pl_hdr)); |