diff options
author | abhinav kumar <abhikuma@codeaurora.org> | 2021-08-11 22:19:11 +0530 |
---|---|---|
committer | Hsiu Chang Chen <hsiuchangchen@google.com> | 2021-11-15 09:51:16 +0000 |
commit | 2835c28c5c9787104735ab9bc0295c62fd5e9e3a (patch) | |
tree | be14db0e911577d36c96d4b90762ba7a59e7e3e9 | |
parent | 514f61185878d22a8f28eb3eb159a46235b1684c (diff) | |
download | qca-wfi-host-cmn-2835c28c5c9787104735ab9bc0295c62fd5e9e3a.tar.gz |
qcacmn: Possible Integer overflow in wifi_pos_oem_rsp_handler
API "target_if_wifi_pos_oem_rsp_ev_handler" is the handler for
the event with WMI_OEM_RESPONSE_EVENTID. Host receives
"rsp->dma_len" from fw. The integer overflow occurs if
"oem_rsp->dma_len" is big enough while calculating the total
length of the Oem Data response buffer.
Fix is to add a sanity check for rsp->dma_len to avoid integer
overflow.
Bug: 203032261
Test: Regression test
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
Change-Id: Idfbd358f62534eae0147f03505ced5728877a269
CRs-Fixed: 3001191
-rw-r--r-- | target_if/wifi_pos/src/target_if_wifi_pos.c | 13 | ||||
-rw-r--r-- | umac/wifi_pos/src/wifi_pos_utils_i.h | 4 |
2 files changed, 15 insertions, 2 deletions
diff --git a/target_if/wifi_pos/src/target_if_wifi_pos.c b/target_if/wifi_pos/src/target_if_wifi_pos.c index 42f5ead10..b8f90a31e 100644 --- a/target_if/wifi_pos/src/target_if_wifi_pos.c +++ b/target_if/wifi_pos/src/target_if_wifi_pos.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2013-2019 The Linux Foundation. All rights reserved. + * Copyright (c) 2013-2019, 2021 The Linux Foundation. All rights reserved. * * Permission to use, copy, modify, and/or distribute this software for * any purpose with or without fee is hereby granted, provided that the @@ -90,6 +90,7 @@ static QDF_STATUS target_if_wifi_pos_get_indirect_data( void *paddr = NULL; uint32_t addr_hi; uint8_t ring_idx = 0, num_rings; + uint32_t allocated_len; if (!indirect) { target_if_debug("no indirect data. regular event received"); @@ -102,6 +103,16 @@ static QDF_STATUS target_if_wifi_pos_get_indirect_data( target_if_err("incorrect pdev_id: %d", indirect->pdev_id); return QDF_STATUS_E_INVAL; } + + allocated_len = priv_obj->dma_cap[ring_idx].min_buf_size + + (priv_obj->dma_cap[ring_idx].min_buf_align - 1); + if (indirect->len > allocated_len || + indirect->len > OEM_DATA_DMA_BUFF_SIZE) { + target_if_err("Invalid indirect len: %d, allocated_len:%d", + indirect->len, allocated_len); + return QDF_STATUS_E_INVAL; + } + addr_hi = (uint64_t)WMI_OEM_DMA_DATA_ADDR_HI_GET( indirect->addr_hi); paddr = (void *)((uint64_t)addr_hi << 32 | indirect->addr_lo); diff --git a/umac/wifi_pos/src/wifi_pos_utils_i.h b/umac/wifi_pos/src/wifi_pos_utils_i.h index 5ee0380d2..676fed102 100644 --- a/umac/wifi_pos/src/wifi_pos_utils_i.h +++ b/umac/wifi_pos/src/wifi_pos_utils_i.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012-2018 The Linux Foundation. All rights reserved. + * Copyright (c) 2012-2018, 2021 The Linux Foundation. All rights reserved. * * Permission to use, copy, modify, and/or distribute this software for * any purpose with or without fee is hereby granted, provided that the @@ -66,6 +66,8 @@ struct wifi_pos_req_msg; #ifndef OEM_DATA_RSP_SIZE #define OEM_DATA_RSP_SIZE 1724 +/* Header + VHT80 CIR * 2 chains */ +#define OEM_DATA_DMA_BUFF_SIZE (64 + 512 * 4 * 2) #endif /** |