From dbb1cccc60307aebe610797b260ec09e15b30079 Mon Sep 17 00:00:00 2001 From: "Chandrasekaran, Manishekar" Date: Thu, 15 May 2014 16:33:36 +0530 Subject: qcacld: Sanitize the session ID before flow control register/deregister Currently, there is no validation for session ID before register and de-register of flow control. So, during this, out of bound session IDs may get accessed. This fix ensures that session ID is sanitized before getting accessed Change-Id: I26ceb8729e6f0bf3ece545b03ccb535bed4ae286 CRs-Fixed: 664586 --- CORE/CLD_TXRX/TLSHIM/tl_shim.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/CORE/CLD_TXRX/TLSHIM/tl_shim.c b/CORE/CLD_TXRX/TLSHIM/tl_shim.c index 5ed6c272ba52..dc5df3c9e3dd 100644 --- a/CORE/CLD_TXRX/TLSHIM/tl_shim.c +++ b/CORE/CLD_TXRX/TLSHIM/tl_shim.c @@ -2023,6 +2023,11 @@ void WLANTL_RegisterTXFlowControl return; } + if (sessionId >= wdi_out_cfg_max_vdevs(((pVosContextType)vos_ctx)->cfg_ctx)) { + TLSHIM_LOGE("%s : Invalid session id", __func__); + return; + } + adf_os_spin_lock(&tl_shim->session_flow_control[sessionId].fc_lock); tl_shim->session_flow_control[sessionId].flowControl = flowControl; tl_shim->session_flow_control[sessionId].sessionId = sessionId; @@ -2065,6 +2070,11 @@ void WLANTL_DeRegisterTXFlowControl return; } + if (sessionId >= wdi_out_cfg_max_vdevs(((pVosContextType)vos_ctx)->cfg_ctx)) { + TLSHIM_LOGE("%s : Invalid session id", __func__); + return; + } + adf_os_spin_lock(&tl_shim->session_flow_control[sessionId].fc_lock); tl_shim->session_flow_control[sessionId].flowControl = NULL; tl_shim->session_flow_control[sessionId].sessionId = 0xFF; -- cgit v1.2.3