qcacld-2.0: Fix potential buffer over-read in the htt_t2h_lp_msg_handler
Check for the validity of peer_cnt when received the htt message of
HTT_T2H_MSG_TYPE_RATE_REPORT from firmware to ensure the buffer over-read
does not happen.
Change-Id: I16c811d20127fe921ef5d1b5a7750629ad38b26b
CRs-Fixed: 2159422
diff --git a/CORE/CLD_TXRX/HTT/htt_t2h.c b/CORE/CLD_TXRX/HTT/htt_t2h.c
index 7f2b729..0653d37 100644
--- a/CORE/CLD_TXRX/HTT/htt_t2h.c
+++ b/CORE/CLD_TXRX/HTT/htt_t2h.c
@@ -535,6 +535,7 @@
u_int16_t peer_cnt = HTT_PEER_RATE_REPORT_MSG_PEER_COUNT_GET(*msg_word);
u_int16_t i;
struct rate_report_t *report, *each;
+ int max_peers;
/* Param sanity check */
if (peer_cnt == 0) {
@@ -542,6 +543,13 @@
break;
}
+ max_peers = ol_cfg_max_peer_id(pdev->ctrl_pdev) + 1;
+ if (peer_cnt > max_peers) {
+ adf_os_print("RATE REPORT msg peer_cnt is larger than %d\n",
+ max_peers);
+ break;
+ }
+
/* At least one peer and no limit apply to peer_cnt here */
report = adf_os_mem_alloc(NULL,
sizeof(struct rate_report_t) * peer_cnt);