Home Explore Help
Sign In
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

qcacld-3.0: Fix OOB access in htt_rx_ring_fill_n

Validate num and idx variables to avoid OOB access.

Change-Id: I920a3cd12744055cfc8315e3b16f8564a3cf9683
CRs-Fixed: 2225604
Rakshith Suresh Patkar 7 years ago
parent
2d87a1c78c
commit
1273054d88
1 changed files with 8 additions and 0 deletions
Split View Show Diff Stats
  1. 8 0
      core/dp/htt/htt_rx.c

+ 8 - 0
core/dp/htt/htt_rx.c
View File 

@@ -398,6 +398,14 @@ static int htt_rx_ring_fill_n(struct htt_pdev_t *pdev, int num)
 
 
 	idx = *(pdev->rx_ring.alloc_idx.vaddr);
 
 
+	if ((idx < 0) || (idx > pdev->rx_ring.size_mask) ||
 
+	    (num > pdev->rx_ring.size))  {
 
+		QDF_TRACE(QDF_MODULE_ID_HTT,
 
+			  QDF_TRACE_LEVEL_ERROR,
 
+			  "%s:rx refill failed!", __func__);
 
+		return filled;
 
+	}
 
+
 
 moretofill:
 
 	while (num > 0) {
 
 		qdf_dma_addr_t paddr, paddr_marked;