commit 7b9db27783953704e258da339a05f6e9acf7fa83
author Tiger Yu <tfyu@codeaurora.org> Thu Jan 25 18:05:21 2018 +0800
committer Anjaneedevi Kapparapu <akappara@codeaurora.org> Thu Feb 01 15:22:55 2018 +0530
tree 4a136b01a6dc2ecf7979c6de8079335436a73c01
parent a6a684ea9260c44d954797b0319c21eef76f25d3

qcacld-2.0: Fix buffer overflow in ol_tx_inspect_handler

Currently variable "tx_desc_id" is from message and it
is used without check.This may cause buffer over-write.

To address this issue add check for valid "tx_desc_id"

Change-Id: Ifcdbf60ce1e0f81be77308185ab51b59746c21af
CRs-Fixed: 2178877

CORE/CLD_TXRX/TXRX/ol_tx_send.c

diff --git a/CORE/CLD_TXRX/TXRX/ol_tx_send.c b/CORE/CLD_TXRX/TXRX/ol_tx_send.c
index dd5cff4..bc6120b 100644
--- a/CORE/CLD_TXRX/TXRX/ol_tx_send.c
+++ b/CORE/CLD_TXRX/TXRX/ol_tx_send.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2011-2017 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2011-2018 The Linux Foundation. All rights reserved.
  *
  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
  *
@@ -710,7 +710,14 @@
     trace_str = (status) ? "OT:C:F:" : "OT:C:S:";
     for (i = 0; i < num_msdus; i++) {
         tx_desc_id = desc_ids[i];
+        if (tx_desc_id >= pdev->tx_desc.pool_size) {
+            TXRX_PRINT(TXRX_PRINT_LEVEL_WARN,
+                    "%s: drop due to invalid msdu id = %x\n",
+                    __func__, tx_desc_id);
+            continue;
+        }
         tx_desc = ol_tx_desc_find(pdev, tx_desc_id);
+        adf_os_assert(tx_desc);
         tx_desc->status = status;
         netbuf = tx_desc->netbuf;
 
@@ -991,7 +998,14 @@
 
     for (i = 0; i < num_msdus; i++) {
         tx_desc_id = desc_ids[i];
+        if (tx_desc_id >= pdev->tx_desc.pool_size) {
+            TXRX_PRINT(TXRX_PRINT_LEVEL_WARN,
+                    "%s: drop due to invalid msdu id = %x\n",
+                    __func__, tx_desc_id);
+            continue;
+        }
         tx_desc = ol_tx_desc_find(pdev, tx_desc_id);
+        adf_os_assert(tx_desc);
         netbuf = tx_desc->netbuf;
 
         /* find the "vdev" this tx_desc belongs to */