qcacmn: Validate vdev_id before accessing vdev_response_timer

As a part of vdev responses from the FW, the driver fetches the appropriate vdev_response_timer info using the vdev_id. This vdev_id is taken from the response coming from FW. Currently, this vdev_id is not being validated and is being used to access the array psoc_vdev_rt. This can potentially lead to out of bounds access. Add validation to the vdev_id before performing the fetch operation. Change-Id: I6f25a14ccc3c8a96a1b6c863a760809c29de4003 CRs-Fixed: 2658462
2020-04-07 11:28:58 +05:30
--- a/umac/mlme/vdev_mgr/dispatcher/src/wlan_vdev_mgr_tgt_if_rx_api.c
+++ b/umac/mlme/vdev_mgr/dispatcher/src/wlan_vdev_mgr_tgt_if_rx_api.c
@@ -39,6 +39,11 @@ tgt_vdev_mgr_get_response_timer_info(struct wlan_objmgr_psoc *psoc,
 {
 	struct psoc_mlme_obj *psoc_mlme;

+	if (vdev_id >= WLAN_UMAC_PSOC_MAX_VDEVS) {
+		mlme_err("Incorrect vdev_id: %d", vdev_id);
+		return NULL;
+	}
+
 	psoc_mlme = mlme_psoc_get_priv(psoc);
 	if (!psoc_mlme) {
 		mlme_err("VDEV_%d PSOC_%d PSOC_MLME is NULL", vdev_id,