qcacld-2.0: Fix potential buffer overflow htt_t2h_msg_handler
Currently variable "tid" is from message, which is used
directly as array size which causes buffer over-write.
To address this issue add check for the array size.
Change-Id: I9fae424d19ce5e886d385071863cbfca9633dd84
CRs-Fixed: 2178818
diff --git a/CORE/CLD_TXRX/TXRX/ol_rx_defrag.c b/CORE/CLD_TXRX/TXRX/ol_rx_defrag.c
index a51eb75..29fc139 100644
--- a/CORE/CLD_TXRX/TXRX/ol_rx_defrag.c
+++ b/CORE/CLD_TXRX/TXRX/ol_rx_defrag.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2011-2014, 2016-2017 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2011-2014, 2016-2018 The Linux Foundation. All rights reserved.
*
* Previously licensed under the ISC license by Qualcomm Atheros, Inc.
*
@@ -490,6 +490,12 @@
}
tid = rx_reorder->tid;
+ if (tid >= OL_TXRX_NUM_EXT_TIDS) {
+ TXRX_PRINT(TXRX_PRINT_LEVEL_ERR,
+ "%s: invalid tid, %u\n", __func__, tid);
+ WARN_ON(1);
+ continue;
+ }
/* get index 0 of the rx_reorder array */
rx_reorder_base = rx_reorder - tid;
peer = container_of(rx_reorder_base, struct ol_txrx_peer_t, tids_rx_reorder[0]);
diff --git a/CORE/CLD_TXRX/TXRX/ol_rx_reorder.c b/CORE/CLD_TXRX/TXRX/ol_rx_reorder.c
index c7bffde..bc3dc58 100644
--- a/CORE/CLD_TXRX/TXRX/ol_rx_reorder.c
+++ b/CORE/CLD_TXRX/TXRX/ol_rx_reorder.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2011-2017 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2011-2018 The Linux Foundation. All rights reserved.
*
* Previously licensed under the ISC license by Qualcomm Atheros, Inc.
*
@@ -556,6 +556,13 @@
struct ol_txrx_peer_t *peer;
struct ol_rx_reorder_t *rx_reorder;
+ if (tid >= OL_TXRX_NUM_EXT_TIDS) {
+ TXRX_PRINT(TXRX_PRINT_LEVEL_ERR,
+ "%s: invalid tid, %u\n", __func__, tid);
+ WARN_ON(1);
+ return;
+ }
+
peer = ol_txrx_peer_find_by_id(pdev, peer_id);
if (peer == NULL) {
return;
