qcacld-2.0: Fix potential buffer overflow htt_t2h_msg_handler
Currently variable "tid" is from message, which is used
directly as array size which causes buffer over-write.
To address this issue add check for the array size in the
ol_rx_delba_handler & ol_rx_pn_ind_handler.
Change-Id: I39e5d9c5315a2bf9f34a65651025a1d8fc919c28
CRs-Fixed: 2178818
diff --git a/CORE/CLD_TXRX/TXRX/ol_rx_reorder.c b/CORE/CLD_TXRX/TXRX/ol_rx_reorder.c
index bc3dc58..0e9928a 100644
--- a/CORE/CLD_TXRX/TXRX/ol_rx_reorder.c
+++ b/CORE/CLD_TXRX/TXRX/ol_rx_reorder.c
@@ -603,6 +603,13 @@
struct ol_txrx_peer_t *peer;
struct ol_rx_reorder_t *rx_reorder;
+ if (tid >= OL_TXRX_NUM_EXT_TIDS) {
+ TXRX_PRINT(TXRX_PRINT_LEVEL_ERR,
+ "%s: invalid tid, %u\n", __func__, tid);
+ WARN_ON(1);
+ return;
+ }
+
peer = ol_txrx_peer_find_by_id(pdev, peer_id);
if (peer == NULL) {
return;
@@ -712,6 +719,13 @@
u_int16_t seq_num;
int i=0;
+ if (tid >= OL_TXRX_NUM_EXT_TIDS) {
+ TXRX_PRINT(TXRX_PRINT_LEVEL_ERR,
+ "%s: invalid tid, %u\n", __func__, tid);
+ WARN_ON(1);
+ return;
+ }
+
peer = ol_txrx_peer_find_by_id(pdev, peer_id);
if (!peer) {
