commit 722bf0811d0f8ffdd1aba5d206db2612fa484dc3
author Tiger Yu <tfyu@codeaurora.org> Thu Jan 18 16:52:18 2018 +0800
committer Anjaneedevi Kapparapu <akappara@codeaurora.org> Thu Feb 01 15:22:53 2018 +0530
tree 282bafa74fdf9d858e91ef08777ce568fde9978f
parent 557cf555d6ddb5261a07fab177333cc1c93b0385

qcacld-2.0: Fix potential buffer overflow in ol_txrx_update_tx_queue_groups

Check for the validity of group_id when received the htt message of
HTT_T2H_MSG_TYPE_TX_CREDIT_UPDATE_IND from firmware to ensure the buffer
overflow does not happen.

Change-Id: I17ac9f37a1450f32fb080c3b22f6317b6238068c
CRs-Fixed: 2174506

CORE/CLD_TXRX/TXRX/ol_txrx.c

diff --git a/CORE/CLD_TXRX/TXRX/ol_txrx.c b/CORE/CLD_TXRX/TXRX/ol_txrx.c
index b137cdf..adf8dad 100644
--- a/CORE/CLD_TXRX/TXRX/ol_txrx.c
+++ b/CORE/CLD_TXRX/TXRX/ol_txrx.c
@@ -288,6 +288,15 @@
     u_int32_t group_vdev_bit_mask, vdev_bit_mask, group_vdev_id_mask;
     u_int32_t membership;
     struct ol_txrx_vdev_t *vdev;
+
+    if (group_id >= OL_TX_MAX_TXQ_GROUPS) {
+        TXRX_PRINT(TXRX_PRINT_LEVEL_WARN,
+            "%s: invalid group_id=%u, ignore update.\n",
+            __func__,
+            group_id);
+        return;
+    }
+
     group = &pdev->txq_grps[group_id];
 
     membership = OL_TXQ_GROUP_MEMBERSHIP_GET(vdev_id_mask,ac_mask);