diff options
| author | sheenam monga <shebala@codeaurora.org> | 2021-08-03 15:04:29 +0530 |
|---|---|---|
| committer | Hsiu-Chang Chen <hsiuchangchen@google.com> | 2021-11-15 17:39:30 +0800 |
| commit | 260c68c1611d74314bc3e6f15bfb2f6504173aca (patch) | |
| tree | 38bf2b969720852991c2a9397847260a08e82122 | |
| parent | 001a6592573d163a8bead36affb02ecab74c005c (diff) | |
| download | qca-wfi-host-cmn-260c68c1611d74314bc3e6f15bfb2f6504173aca.tar.gz | |
qcacmn: Fix possible OOB in wmi_extract_dbr_buf_release_entry
Currently in function wmi_extract_dbr_buf_release_entry,
num_buf_release_entry & num_meta_data_entry are copied
to direct_buf_rx_rsp structure without any validation which
may cause out of bound issue if num_buf_release_entry or
num_meta_data_entries provided in fixed param becomes greater
than actual number of entries.
Fix is to validate num_entries and num_meta_data before populating
param->num_buf_release_entry and param->num_meta_data_entry.
Bug: 202032183
Test: Regression test
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
Change-Id: I18050fd4f90f8815d7eceb5f715fdbaa09130d3a
CRs-Fixed: 3000875
| -rw-r--r-- | target_if/direct_buf_rx/src/target_if_direct_buf_rx_main.c | 5 | ||||
| -rw-r--r-- | wmi/src/wmi_unified_dbr_tlv.c | 12 |
2 files changed, 16 insertions, 1 deletions
diff --git a/target_if/direct_buf_rx/src/target_if_direct_buf_rx_main.c b/target_if/direct_buf_rx/src/target_if_direct_buf_rx_main.c index 4ea5b4677..d7e0d6724 100644 --- a/target_if/direct_buf_rx/src/target_if_direct_buf_rx_main.c +++ b/target_if/direct_buf_rx/src/target_if_direct_buf_rx_main.c @@ -1046,6 +1046,11 @@ static int target_if_direct_buf_rx_rsp_event_handler(ol_scn_t scn, dbr_buf_pool = mod_param->dbr_buf_pool; dbr_rsp.dbr_entries = qdf_mem_malloc(dbr_rsp.num_buf_release_entry * sizeof(struct direct_buf_rx_entry)); + if (!dbr_rsp.dbr_entries) { + direct_buf_rx_err("invalid dbr_entries"); + wlan_objmgr_pdev_release_ref(pdev, dbr_mod_id); + return QDF_STATUS_E_FAILURE; + } if (dbr_rsp.num_meta_data_entry > dbr_rsp.num_buf_release_entry) { direct_buf_rx_err("More than expected number of metadata"); diff --git a/wmi/src/wmi_unified_dbr_tlv.c b/wmi/src/wmi_unified_dbr_tlv.c index f4c0f157c..6e91d05b5 100644 --- a/wmi/src/wmi_unified_dbr_tlv.c +++ b/wmi/src/wmi_unified_dbr_tlv.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2016-2019 The Linux Foundation. All rights reserved. + * Copyright (c) 2016-2021 The Linux Foundation. All rights reserved. * * Permission to use, copy, modify, and/or distribute this software for * any purpose with or without fee is hereby granted, provided that the @@ -129,7 +129,17 @@ static QDF_STATUS extract_dbr_buf_release_fixed_tlv(wmi_unified_t wmi_handle, param->pdev_id = wmi_handle->ops->convert_target_pdev_id_to_host( ev->pdev_id); param->mod_id = ev->mod_id; + if ((!param_buf->num_entries) || + param_buf->num_entries < ev->num_buf_release_entry){ + wmi_err("actual num of buf release entries less than provided entries"); + return QDF_STATUS_E_INVAL; + } param->num_buf_release_entry = ev->num_buf_release_entry; + if ((!param_buf->num_meta_data) || + param_buf->num_meta_data < ev->num_meta_data_entry) { + wmi_err("actual num of meta data entries less than provided entries"); + return QDF_STATUS_E_INVAL; + } param->num_meta_data_entry = ev->num_meta_data_entry; WMI_LOGD("%s:pdev id %d mod id %d num buf release entry %d", __func__, param->pdev_id, param->mod_id, param->num_buf_release_entry); |