qcacld-2.0: Fix potential buffer overwrite in the htt_t2h_lp_msg_handler Check for the validity of tx_desc_id when received the htt message of HTT_T2H_MSG_TYPE_MGMT_TX_COMPL_IND from firmware to ensure the buffer overwrite does not happen. Change-Id: I0afc781b7fff303525352b817e7eb60b8b05e4d3 CRs-Fixed: 2157917

commit: d46fc49c6391df404d8ce3136a03a4ba38807737 [log] [tgz]
author: Tiger Yu <tfyu@codeaurora.org> Mon Dec 25 17:03:51 2017 +0800
committer: Anjaneedevi Kapparapu <akappara@codeaurora.org> Thu Feb 01 15:22:46 2018 +0530
tree: 550c612cd74c0248103720359ff11e45a77be74e
parent: 26d5c8ca44ccc3a22fbd9ac6b2de99ec0333d5c5 [diff]
diff --git a/CORE/CLD_TXRX/TXRX/ol_tx_desc.h b/CORE/CLD_TXRX/TXRX/ol_tx_desc.h
index 06fd1a1..7a6f055 100644
--- a/CORE/CLD_TXRX/TXRX/ol_tx_desc.h
+++ b/CORE/CLD_TXRX/TXRX/ol_tx_desc.h

@@ -119,6 +119,9 @@
 {
     struct ol_tx_desc_t *tx_desc;
 
+    if (tx_desc_id >= pdev->tx_desc.pool_size)
+        return NULL;
+
     tx_desc = ol_tx_desc_find(pdev, tx_desc_id);
 
     if (tx_desc->pkt_type == ol_tx_frm_freed) {
@@ -135,6 +138,9 @@
 {
     struct ol_tx_desc_t *tx_desc;
 
+    if (tx_desc_id >= pdev->tx_desc.pool_size)
+        return NULL;
+
     tx_desc = ol_tx_desc_find(pdev, tx_desc_id);
 
     /* check against invalid tx_desc_id */
commit	d46fc49c6391df404d8ce3136a03a4ba38807737	[log] [tgz]
author	Tiger Yu <tfyu@codeaurora.org>	Mon Dec 25 17:03:51 2017 +0800
committer	Anjaneedevi Kapparapu <akappara@codeaurora.org>	Thu Feb 01 15:22:46 2018 +0530
tree	550c612cd74c0248103720359ff11e45a77be74e
parent	26d5c8ca44ccc3a22fbd9ac6b2de99ec0333d5c5 [diff]