diff options
author | Sravan Kumar Kairam <sgoud@codeaurora.org> | 2018-07-10 19:56:56 +0800 |
---|---|---|
committer | Shirle Yuen <shirleyshukyee@google.com> | 2018-07-30 10:34:39 -0700 |
commit | 63f022b9442e6398bc41d16366ae33de5257be22 (patch) | |
tree | 8a86e6131c24e14815abe27d4b2f61f429b4e5ef | |
parent | e966ecb2a3274dbaeec6451e92083a6eb31a57e2 (diff) | |
download | qcom-msm8x09-v3.10-63f022b9442e6398bc41d16366ae33de5257be22.tar.gz |
qcacld-2.0: Fix possible OOB access in ol_rx_reorder_detect_hole
Currently tid is extracted from HTT message and it is used without
check. This may cause possible OOB array read. To address this add
check for valid tid.
Change-Id: Idb03236e05fe43326f9ab46ae8368adc9a92d92a
CRs-Fixed: 2225497
Bug: 111289931
(cherry picked from commit 9310c577a8f4e538617ba197d36db64660df7f3c)
-rw-r--r-- | drivers/staging/qcacld-2.0/CORE/CLD_TXRX/TXRX/ol_rx_reorder.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/drivers/staging/qcacld-2.0/CORE/CLD_TXRX/TXRX/ol_rx_reorder.c b/drivers/staging/qcacld-2.0/CORE/CLD_TXRX/TXRX/ol_rx_reorder.c index 0e9928a332b..1fc62d3ab1b 100644 --- a/drivers/staging/qcacld-2.0/CORE/CLD_TXRX/TXRX/ol_rx_reorder.c +++ b/drivers/staging/qcacld-2.0/CORE/CLD_TXRX/TXRX/ol_rx_reorder.c @@ -489,6 +489,12 @@ static void ol_rx_reorder_detect_hole(struct ol_txrx_peer_t *peer, { uint32_t win_sz_mask, next_rel_idx, hole_size; + if (tid >= OL_TXRX_NUM_EXT_TIDS) { + TXRX_PRINT(TXRX_PRINT_LEVEL_ERR, + "%s: invalid tid, %u\n", __func__, tid); + return; + } + if (peer->tids_next_rel_idx[tid] == INVALID_REORDER_INDEX) return; |