diff options
author | Paul Chen <chenpaul@google.com> | 2023-05-08 09:46:10 +0800 |
---|---|---|
committer | Paul Chen <chenpaul@google.com> | 2023-05-08 09:46:10 +0800 |
commit | d7cc06c530ca26a76e43489b79c8bc15252b816e (patch) | |
tree | 9239d4e1d4429924afb1b61132ae17403523c215 | |
parent | 8e54eec6e8cd7ca6e1344b03110879d9e9ba10ca (diff) | |
download | qca-wfi-host-cmn-android-msm-sunfish-4.14-android13-qpr3.tar.gz |
qcacmn: Check cookie and avoid to read out of boundandroid-13.0.0_r0.130android-13.0.0_r0.110android-13.0.0_r0.101android-msm-sunfish-4.14-android13-qpr3
Read out of bound due to invalid cookie and cause device broken. This
change checks cookie before using it as index of DBR buffer pool.
Bug: 276750665
Test: Code Drop Test
Change-Id: I1abc7d771cc62a7dd2dfe98784bf8ef2710f26ca
CRs-Fixed: 3144133
Signed-off-by: Paul Chen <chenpaul@google.com>
-rw-r--r-- | target_if/direct_buf_rx/src/target_if_direct_buf_rx_main.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/target_if/direct_buf_rx/src/target_if_direct_buf_rx_main.c b/target_if/direct_buf_rx/src/target_if_direct_buf_rx_main.c index 3d1c10ce4..f5fc86559 100644 --- a/target_if/direct_buf_rx/src/target_if_direct_buf_rx_main.c +++ b/target_if/direct_buf_rx/src/target_if_direct_buf_rx_main.c @@ -318,6 +318,11 @@ static QDF_STATUS target_if_dbr_replenish_ring(struct wlan_objmgr_pdev *pdev, return QDF_STATUS_E_FAILURE; } + if (cookie >= mod_param->dbr_ring_cfg->num_ptr) { + direct_buf_rx_err("invalid cookie %d", cookie); + return QDF_STATUS_E_INVAL; + } + dbr_psoc_obj = wlan_objmgr_psoc_get_comp_private_obj(psoc, WLAN_TARGET_IF_COMP_DIRECT_BUF_RX); @@ -720,6 +725,11 @@ static void *target_if_dbr_vaddr_lookup( dbr_buf_pool = mod_param->dbr_buf_pool; + if (cookie >= mod_param->dbr_ring_cfg->num_ptr) { + direct_buf_rx_err("invalid cookie %d", cookie); + return NULL; + } + if (dbr_buf_pool[cookie].paddr == paddr) { return dbr_buf_pool[cookie].vaddr + dbr_buf_pool[cookie].offset; |