qcacld-3.0: Fix potential buffer overflow in htt_t2h_lp_msg_handler

qcacld-2.0 to qcacld-3.0 propagation Check for the validity of peer_id when received the htt message of HTT_T2H_MSG_TYPE_PEER_MAP or HTT_T2H_MSG_TYPE_PEER_UNMAP from firmware to ensure the buffer overflow does not happen. Change-Id: Ib3f92f4de0b406a78bf34d348c07cb3981277513 CRs-Fixed: 2147119
2017-12-05 15:58:48 +08:00
parent 62ef4fb08d
commit 25c131e8a8
1 changed files with 16 additions and 0 deletions
--- a/core/dp/htt/htt_t2h.c
+++ b/core/dp/htt/htt_t2h.c
@@ -362,6 +362,14 @@ static void htt_t2h_lp_msg_handler(void *context, qdf_nbuf_t htt_t2h_msg,
 			(uint8_t *) (msg_word + 1),
 			&mac_addr_deswizzle_buf[0]);

+		if (peer_id > ol_cfg_max_peer_id(pdev->ctrl_pdev)) {
+			qdf_print("%s: HTT_T2H_MSG_TYPE_PEER_MAP,"
+				"invalid peer_id, %u\n",
+				__FUNCTION__,
+				peer_id);
+			break;
+		}
+
 		ol_rx_peer_map_handler(pdev->txrx_pdev, peer_id,
 				       vdev_id, peer_mac_addr,
 				       1 /*can tx */);
@@ -372,6 +380,14 @@ static void htt_t2h_lp_msg_handler(void *context, qdf_nbuf_t htt_t2h_msg,
 		uint16_t peer_id;

 		peer_id = HTT_RX_PEER_UNMAP_PEER_ID_GET(*msg_word);
+		if (peer_id > ol_cfg_max_peer_id(pdev->ctrl_pdev)) {
+			qdf_print("%s: HTT_T2H_MSG_TYPE_PEER_UNMAP,"
+				"invalid peer_id, %u\n",
+				__FUNCTION__,
+				peer_id);
+			break;
+		}
+
 		ol_rx_peer_unmap_handler(pdev->txrx_pdev, peer_id);
 		break;
 	}