qcacld-2.0: Fix buffer overflow in ol_tx_inspect_handler
Currently variable "tx_desc_id" is from message and it
is used without check.This may cause buffer over-write.
To address this issue add check for valid "tx_desc_id"
Change-Id: Ifcdbf60ce1e0f81be77308185ab51b59746c21af
CRs-Fixed: 2178877
diff --git a/CORE/CLD_TXRX/TXRX/ol_tx_send.c b/CORE/CLD_TXRX/TXRX/ol_tx_send.c
index dd5cff4..bc6120b 100644
--- a/CORE/CLD_TXRX/TXRX/ol_tx_send.c
+++ b/CORE/CLD_TXRX/TXRX/ol_tx_send.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2011-2017 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2011-2018 The Linux Foundation. All rights reserved.
*
* Previously licensed under the ISC license by Qualcomm Atheros, Inc.
*
@@ -710,7 +710,14 @@
trace_str = (status) ? "OT:C:F:" : "OT:C:S:";
for (i = 0; i < num_msdus; i++) {
tx_desc_id = desc_ids[i];
+ if (tx_desc_id >= pdev->tx_desc.pool_size) {
+ TXRX_PRINT(TXRX_PRINT_LEVEL_WARN,
+ "%s: drop due to invalid msdu id = %x\n",
+ __func__, tx_desc_id);
+ continue;
+ }
tx_desc = ol_tx_desc_find(pdev, tx_desc_id);
+ adf_os_assert(tx_desc);
tx_desc->status = status;
netbuf = tx_desc->netbuf;
@@ -991,7 +998,14 @@
for (i = 0; i < num_msdus; i++) {
tx_desc_id = desc_ids[i];
+ if (tx_desc_id >= pdev->tx_desc.pool_size) {
+ TXRX_PRINT(TXRX_PRINT_LEVEL_WARN,
+ "%s: drop due to invalid msdu id = %x\n",
+ __func__, tx_desc_id);
+ continue;
+ }
tx_desc = ol_tx_desc_find(pdev, tx_desc_id);
+ adf_os_assert(tx_desc);
netbuf = tx_desc->netbuf;
/* find the "vdev" this tx_desc belongs to */