commit dcb13721d7b3148a78d831a758920c463da1fe1c
author Tiger Yu <tfyu@codeaurora.org> Mon Dec 25 15:24:06 2017 +0800
committer Anjaneedevi Kapparapu <akappara@codeaurora.org> Thu Feb 01 15:22:47 2018 +0530
tree 2f3ab8128ac1ebc46ba349e737782e74e731822b
parent aea584a7b7be635a8881de8032d7b5f64d24dc79

qcacld-2.0: Fix potential buffer over-read in the htt_t2h_lp_msg_handler

Check for the validity of peer_cnt when received the htt message of
HTT_T2H_MSG_TYPE_RATE_REPORT from firmware to ensure the buffer over-read
does not happen.

Change-Id: I16c811d20127fe921ef5d1b5a7750629ad38b26b
CRs-Fixed: 2159422

CORE/CLD_TXRX/HTT/htt_t2h.c

diff --git a/CORE/CLD_TXRX/HTT/htt_t2h.c b/CORE/CLD_TXRX/HTT/htt_t2h.c
index 7f2b729..0653d37 100644
--- a/CORE/CLD_TXRX/HTT/htt_t2h.c
+++ b/CORE/CLD_TXRX/HTT/htt_t2h.c
@@ -535,6 +535,7 @@
             u_int16_t peer_cnt = HTT_PEER_RATE_REPORT_MSG_PEER_COUNT_GET(*msg_word);
             u_int16_t i;
             struct rate_report_t *report, *each;
+            int max_peers;
 
             /* Param sanity check */
             if (peer_cnt == 0) {
@@ -542,6 +543,13 @@
                 break;
             }
 
+            max_peers = ol_cfg_max_peer_id(pdev->ctrl_pdev) + 1;
+            if (peer_cnt > max_peers) {
+                adf_os_print("RATE REPORT msg peer_cnt is larger than %d\n",
+                    max_peers);
+                break;
+            }
+
             /* At least one peer and no limit apply to peer_cnt here */
             report = adf_os_mem_alloc(NULL,
                 sizeof(struct rate_report_t) * peer_cnt);