qcacld-2.0: Fix potential integer overflow when TX_CREDIT_UPDATE
Check for the validity of credits when received the htt message of
HTT_T2H_MSG_TYPE_TX_CREDIT_UPDATE_IND or HTT_T2H_MSG_TYPE_TX_COMPL_IND
from firmware to ensure the integer overflow does not happen if these
messages invoked many times.
Change-Id: I01386b88f1b677153f3e51e055b7fbac073cd6b3
CRs-Fixed: 2147127
diff --git a/CORE/CLD_TXRX/HTT/htt_t2h.c b/CORE/CLD_TXRX/HTT/htt_t2h.c
index 315fdf7..acdf900 100644
--- a/CORE/CLD_TXRX/HTT/htt_t2h.c
+++ b/CORE/CLD_TXRX/HTT/htt_t2h.c
@@ -141,6 +141,8 @@
#define HTT_FAIL_NOTIFY_BREAK_CHECK(status) 0
#endif /* CONFIG_HL_SUPPORT */
+#define MAX_TARGET_TX_CREDIT 204800
+
/* Target to host Msg/event handler for low priority messages*/
void
htt_t2h_lp_msg_handler(void *context, adf_nbuf_t htt_t2h_msg )
@@ -414,12 +416,23 @@
{
u_int32_t htt_credit_delta_abs;
int32_t htt_credit_delta;
- int sign;
+ int sign, old_credit;
htt_credit_delta_abs = HTT_TX_CREDIT_DELTA_ABS_GET(*msg_word);
sign = HTT_TX_CREDIT_SIGN_BIT_GET(*msg_word) ? -1 : 1;
htt_credit_delta = sign * htt_credit_delta_abs;
+ old_credit = adf_os_atomic_read(&pdev->htt_tx_credit.target_delta);
+ if (((old_credit + htt_credit_delta) > MAX_TARGET_TX_CREDIT) ||
+ ((old_credit + htt_credit_delta) < -MAX_TARGET_TX_CREDIT)) {
+ adf_os_print("%s: invalid credit update,old_credit=%d,"
+ "htt_credit_delta=%d\n",
+ __FUNCTION__,
+ old_credit,
+ htt_credit_delta);
+ break;
+ }
+
if (pdev->cfg.is_high_latency &&
!pdev->cfg.default_tx_comp_req) {
HTT_TX_MUTEX_ACQUIRE(&pdev->credit_mutex);
@@ -654,6 +667,7 @@
}
case HTT_T2H_MSG_TYPE_TX_COMPL_IND:
{
+ int old_credit;
int num_msdus;
enum htt_tx_status status;
int msg_len = adf_nbuf_len(htt_t2h_msg);
@@ -711,19 +725,30 @@
break;
}
- if (!pdev->cfg.default_tx_comp_req) {
- int credit_delta;
- HTT_TX_MUTEX_ACQUIRE(&pdev->credit_mutex);
- adf_os_atomic_add(num_msdus,
- &pdev->htt_tx_credit.target_delta);
- credit_delta = htt_tx_credit_update(pdev);
- HTT_TX_MUTEX_RELEASE(&pdev->credit_mutex);
- if (credit_delta) {
- ol_tx_target_credit_update(pdev->txrx_pdev,
- credit_delta);
- }
+ old_credit = adf_os_atomic_read(&pdev->htt_tx_credit.target_delta);
+ if (((old_credit + num_msdus) > MAX_TARGET_TX_CREDIT) ||
+ ((old_credit + num_msdus) < -MAX_TARGET_TX_CREDIT)) {
+ adf_os_print("%s: invalid credit update,old_credit=%d,"
+ "num_msdus=%d\n",
+ __FUNCTION__,
+ old_credit,
+ num_msdus);
} else {
- ol_tx_target_credit_update(pdev->txrx_pdev, num_msdus);
+ if (!pdev->cfg.default_tx_comp_req) {
+ int credit_delta;
+ HTT_TX_MUTEX_ACQUIRE(&pdev->credit_mutex);
+ adf_os_atomic_add(num_msdus,
+ &pdev->htt_tx_credit.target_delta);
+ credit_delta = htt_tx_credit_update(pdev);
+ HTT_TX_MUTEX_RELEASE(&pdev->credit_mutex);
+ if (credit_delta) {
+ ol_tx_target_credit_update(pdev->txrx_pdev,
+ credit_delta);
+ }
+ } else {
+ ol_tx_target_credit_update(pdev->txrx_pdev,
+ num_msdus);
+ }
}
}
ol_tx_completion_handler(