qcacld-2.0: Fix potential buffer overflow in htt_t2h_lp_msg_handler
Check for the validity of peer_id when received the htt message of
HTT_T2H_MSG_TYPE_PEER_MAP or HTT_T2H_MSG_TYPE_PEER_UNMAP from firmware
to ensure the buffer overflow does not happen.
Change-Id: Ib3f92f4de0b406a78bf34d348c07cb3981277513
CRs-Fixed: 2147119
diff --git a/CORE/CLD_TXRX/HTT/htt_t2h.c b/CORE/CLD_TXRX/HTT/htt_t2h.c
index 6dedfb9..315fdf7 100644
--- a/CORE/CLD_TXRX/HTT/htt_t2h.c
+++ b/CORE/CLD_TXRX/HTT/htt_t2h.c
@@ -301,6 +301,14 @@
peer_mac_addr = htt_t2h_mac_addr_deswizzle(
(u_int8_t *) (msg_word+1), &mac_addr_deswizzle_buf[0]);
+ if (peer_id > ol_cfg_max_peer_id(pdev->ctrl_pdev)) {
+ adf_os_print("%s: HTT_T2H_MSG_TYPE_PEER_MAP,"
+ "invalid peer_id, %u\n",
+ __FUNCTION__,
+ peer_id);
+ break;
+ }
+
ol_rx_peer_map_handler(
pdev->txrx_pdev, peer_id, vdev_id, peer_mac_addr, 1/*can tx*/);
break;
@@ -310,6 +318,14 @@
u_int16_t peer_id;
peer_id = HTT_RX_PEER_UNMAP_PEER_ID_GET(*msg_word);
+ if (peer_id > ol_cfg_max_peer_id(pdev->ctrl_pdev)) {
+ adf_os_print("%s: HTT_T2H_MSG_TYPE_PEER_UNMAP,"
+ "invalid peer_id, %u\n",
+ __FUNCTION__,
+ peer_id);
+ break;
+ }
+
ol_rx_peer_unmap_handler(pdev->txrx_pdev, peer_id);
break;
}
