diff options
-rw-r--r-- | target_if/direct_buf_rx/src/target_if_direct_buf_rx_main.c | 5 | ||||
-rwxr-xr-x | wmi/src/wmi_unified_tlv.c | 12 |
2 files changed, 16 insertions, 1 deletions
diff --git a/target_if/direct_buf_rx/src/target_if_direct_buf_rx_main.c b/target_if/direct_buf_rx/src/target_if_direct_buf_rx_main.c index 36cfeb964..3d1c10ce4 100644 --- a/target_if/direct_buf_rx/src/target_if_direct_buf_rx_main.c +++ b/target_if/direct_buf_rx/src/target_if_direct_buf_rx_main.c @@ -839,6 +839,11 @@ static int target_if_direct_buf_rx_rsp_event_handler(ol_scn_t scn, dbr_buf_pool = mod_param->dbr_buf_pool; dbr_rsp.dbr_entries = qdf_mem_malloc(dbr_rsp.num_buf_release_entry * sizeof(struct direct_buf_rx_entry)); + if (!dbr_rsp.dbr_entries) { + direct_buf_rx_err("invalid dbr_entries"); + wlan_objmgr_pdev_release_ref(pdev, dbr_mod_id); + return QDF_STATUS_E_FAILURE; + } if (dbr_rsp.num_meta_data_entry > dbr_rsp.num_buf_release_entry) { direct_buf_rx_err("More than expected number of metadata"); diff --git a/wmi/src/wmi_unified_tlv.c b/wmi/src/wmi_unified_tlv.c index dfa6d280d..5316ca7a4 100755 --- a/wmi/src/wmi_unified_tlv.c +++ b/wmi/src/wmi_unified_tlv.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2016-2019 The Linux Foundation. All rights reserved. + * Copyright (c) 2016-2021 The Linux Foundation. All rights reserved. * * Permission to use, copy, modify, and/or distribute this software for * any purpose with or without fee is hereby granted, provided that the @@ -20214,7 +20214,17 @@ static QDF_STATUS extract_dbr_buf_release_fixed_tlv(wmi_unified_t wmi_handle, param->pdev_id = wmi_handle->ops->convert_pdev_id_target_to_host( ev->pdev_id); param->mod_id = ev->mod_id; + if ((!param_buf->num_entries) || + param_buf->num_entries < ev->num_buf_release_entry){ + wmi_err("actual num of buf release entries less than provided entries"); + return QDF_STATUS_E_INVAL; + } param->num_buf_release_entry = ev->num_buf_release_entry; + if ((!param_buf->num_meta_data) || + param_buf->num_meta_data < ev->num_meta_data_entry) { + wmi_err("actual num of meta data entries less than provided entries"); + return QDF_STATUS_E_INVAL; + } param->num_meta_data_entry = ev->num_meta_data_entry; WMI_LOGD("%s:pdev id %d mod id %d num buf release entry %d\n", __func__, param->pdev_id, param->mod_id, param->num_buf_release_entry); |