qcacld-3.0: Fix OOB access in htt_rx_ring_fill_n

Validate num and idx variables to avoid OOB access. Change-Id: I920a3cd12744055cfc8315e3b16f8564a3cf9683 CRs-Fixed: 2225604
2018-05-11 18:28:59 +05:30
parent 2d87a1c78c
commit 1273054d88
1 changed files with 8 additions and 0 deletions
--- a/core/dp/htt/htt_rx.c
+++ b/core/dp/htt/htt_rx.c
@@ -398,6 +398,14 @@ static int htt_rx_ring_fill_n(struct htt_pdev_t *pdev, int num)

 	idx = *(pdev->rx_ring.alloc_idx.vaddr);

+	if ((idx < 0) || (idx > pdev->rx_ring.size_mask) ||
+	    (num > pdev->rx_ring.size))  {
+		QDF_TRACE(QDF_MODULE_ID_HTT,
+			  QDF_TRACE_LEVEL_ERROR,
+			  "%s:rx refill failed!", __func__);
+		return filled;
+	}
+
 moretofill:
 	while (num > 0) {
 		qdf_dma_addr_t paddr, paddr_marked;