qcacld-2.0: Fix possible OOB access in ol_rx_reorder_detect_hole

Currently tid is extracted from HTT message and it is used without check. This may cause possible OOB array read. To address this add check for valid tid. Change-Id: Idb03236e05fe43326f9ab46ae8368adc9a92d92a CRs-Fixed: 2225497 Bug: 111289931 (cherry picked from commit 9310c577a8f4e538617ba197d36db64660df7f3c)
author: Sravan Kumar Kairam <sgoud@codeaurora.org> 2018-07-10 19:56:56 +0800
committer: Shirle Yuen <shirleyshukyee@google.com> 2018-07-30 10:34:39 -0700
commit: 63f022b9442e6398bc41d16366ae33de5257be22 (patch)
tree: 8a86e6131c24e14815abe27d4b2f61f429b4e5ef
parent: e966ecb2a3274dbaeec6451e92083a6eb31a57e2 (diff)
download: qcom-msm8x09-v3.10-63f022b9442e6398bc41d16366ae33de5257be22.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/drivers/staging/qcacld-2.0/CORE/CLD_TXRX/TXRX/ol_rx_reorder.c b/drivers/staging/qcacld-2.0/CORE/CLD_TXRX/TXRX/ol_rx_reorder.c
index 0e9928a332b..1fc62d3ab1b 100644
--- a/drivers/staging/qcacld-2.0/CORE/CLD_TXRX/TXRX/ol_rx_reorder.c
+++ b/drivers/staging/qcacld-2.0/CORE/CLD_TXRX/TXRX/ol_rx_reorder.c
@@ -489,6 +489,12 @@ static void ol_rx_reorder_detect_hole(struct ol_txrx_peer_t *peer,
 {
 	uint32_t win_sz_mask, next_rel_idx, hole_size;
 
+	if (tid >= OL_TXRX_NUM_EXT_TIDS) {
+		TXRX_PRINT(TXRX_PRINT_LEVEL_ERR,
+			   "%s:  invalid tid, %u\n", __func__, tid);
+		return;
+	}
+
 	if (peer->tids_next_rel_idx[tid] == INVALID_REORDER_INDEX)
 		return;
author	Sravan Kumar Kairam <sgoud@codeaurora.org>	2018-07-10 19:56:56 +0800
committer	Shirle Yuen <shirleyshukyee@google.com>	2018-07-30 10:34:39 -0700
commit	63f022b9442e6398bc41d16366ae33de5257be22 (patch)
tree	8a86e6131c24e14815abe27d4b2f61f429b4e5ef
parent	e966ecb2a3274dbaeec6451e92083a6eb31a57e2 (diff)
download	qcom-msm8x09-v3.10-63f022b9442e6398bc41d16366ae33de5257be22.tar.gz