From 1273054d88bd9df39c4dc17f52fb1e66b139cf83 Mon Sep 17 00:00:00 2001
From: Rakshith Suresh Patkar <rpatkar@codeaurora.org>
Date: Fri, 11 May 2018 18:28:59 +0530
Subject: [PATCH] qcacld-3.0: Fix OOB access in htt_rx_ring_fill_n

Validate num and idx variables to avoid OOB access.

Change-Id: I920a3cd12744055cfc8315e3b16f8564a3cf9683
CRs-Fixed: 2225604
---
 core/dp/htt/htt_rx.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/core/dp/htt/htt_rx.c b/core/dp/htt/htt_rx.c
index 5cead79406..7223b8283a 100644
--- a/core/dp/htt/htt_rx.c
+++ b/core/dp/htt/htt_rx.c
@@ -398,6 +398,14 @@ static int htt_rx_ring_fill_n(struct htt_pdev_t *pdev, int num)
 
 	idx = *(pdev->rx_ring.alloc_idx.vaddr);
 
+	if ((idx < 0) || (idx > pdev->rx_ring.size_mask) ||
+	    (num > pdev->rx_ring.size))  {
+		QDF_TRACE(QDF_MODULE_ID_HTT,
+			  QDF_TRACE_LEVEL_ERROR,
+			  "%s:rx refill failed!", __func__);
+		return filled;
+	}
+
 moretofill:
 	while (num > 0) {
 		qdf_dma_addr_t paddr, paddr_marked;