diff options
| author | Srinivas Girigowda <quic_sgirigow@quicinc.com> | 2021-10-14 14:33:39 -0700 |
|---|---|---|
| committer | chenpaul <chenpaul@google.com> | 2021-10-25 17:02:23 +0800 |
| commit | 6deca5f66ad307f7b2d6aa198593726cc026aa90 (patch) | |
| tree | fb2fd0cda3cf2e73b18b0d64586a1873e97bd3ea | |
| parent | f7682613e5e9ca1c1900b30a29be19d391313d9b (diff) | |
| download | qca-wfi-host-cmn-6deca5f66ad307f7b2d6aa198593726cc026aa90.tar.gz | |
iqcacmn: Fix possible OOB in wmi_extract_dbr_buf_release_entryandroid-s-v2-beta-2_r0.3android-s-v2-beta-2_r0.2android-s-v2-beta-1_r0.3android-s-v2-beta-1_r0.2android-msm-sunfish-4.14-s-v2-beta-1android-msm-sunfish-4.14-android12-v2-beta-2android-msm-coral-4.14-s-v2-beta-1android-msm-coral-4.14-android12-v2-beta-2
Currently in function wmi_extract_dbr_buf_release_entry,
num_buf_release_entry & num_meta_data_entry are copied
to direct_buf_rx_rsp structure without any validation which
may cause out of bound issue if num_buf_release_entry or
num_meta_data_entries provided in fixed param becomes greater
than actual number of entries.
Fix is to validate num_entries and num_meta_data before populating
param->num_buf_release_entry and param->num_meta_data_entry.
Change-Id: I18050fd4f90f8815d7eceb5f715fdbaa09130d3a
CRs-Fixed: 3000875
Bug: 202032183
Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
| -rw-r--r-- | target_if/direct_buf_rx/src/target_if_direct_buf_rx_main.c | 5 | ||||
| -rwxr-xr-x | wmi/src/wmi_unified_tlv.c | 12 |
2 files changed, 16 insertions, 1 deletions
diff --git a/target_if/direct_buf_rx/src/target_if_direct_buf_rx_main.c b/target_if/direct_buf_rx/src/target_if_direct_buf_rx_main.c index 36cfeb964..3d1c10ce4 100644 --- a/target_if/direct_buf_rx/src/target_if_direct_buf_rx_main.c +++ b/target_if/direct_buf_rx/src/target_if_direct_buf_rx_main.c @@ -839,6 +839,11 @@ static int target_if_direct_buf_rx_rsp_event_handler(ol_scn_t scn, dbr_buf_pool = mod_param->dbr_buf_pool; dbr_rsp.dbr_entries = qdf_mem_malloc(dbr_rsp.num_buf_release_entry * sizeof(struct direct_buf_rx_entry)); + if (!dbr_rsp.dbr_entries) { + direct_buf_rx_err("invalid dbr_entries"); + wlan_objmgr_pdev_release_ref(pdev, dbr_mod_id); + return QDF_STATUS_E_FAILURE; + } if (dbr_rsp.num_meta_data_entry > dbr_rsp.num_buf_release_entry) { direct_buf_rx_err("More than expected number of metadata"); diff --git a/wmi/src/wmi_unified_tlv.c b/wmi/src/wmi_unified_tlv.c index dfa6d280d..5316ca7a4 100755 --- a/wmi/src/wmi_unified_tlv.c +++ b/wmi/src/wmi_unified_tlv.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2016-2019 The Linux Foundation. All rights reserved. + * Copyright (c) 2016-2021 The Linux Foundation. All rights reserved. * * Permission to use, copy, modify, and/or distribute this software for * any purpose with or without fee is hereby granted, provided that the @@ -20214,7 +20214,17 @@ static QDF_STATUS extract_dbr_buf_release_fixed_tlv(wmi_unified_t wmi_handle, param->pdev_id = wmi_handle->ops->convert_pdev_id_target_to_host( ev->pdev_id); param->mod_id = ev->mod_id; + if ((!param_buf->num_entries) || + param_buf->num_entries < ev->num_buf_release_entry){ + wmi_err("actual num of buf release entries less than provided entries"); + return QDF_STATUS_E_INVAL; + } param->num_buf_release_entry = ev->num_buf_release_entry; + if ((!param_buf->num_meta_data) || + param_buf->num_meta_data < ev->num_meta_data_entry) { + wmi_err("actual num of meta data entries less than provided entries"); + return QDF_STATUS_E_INVAL; + } param->num_meta_data_entry = ev->num_meta_data_entry; WMI_LOGD("%s:pdev id %d mod id %d num buf release entry %d\n", __func__, param->pdev_id, param->mod_id, param->num_buf_release_entry); |