From 27212c73fe65b4dcc4131e14a14d1a01ddc84480 Mon Sep 17 00:00:00 2001 From: Yeshwanth Sriram Guntuka Date: Mon, 24 May 2021 18:38:10 +0530 Subject: [PATCH] qcacmn: Fix possible OOB access for tx_hw_desc_history Memory allocated for tx_hw_desc_history uses incorrect size parameter resulting in much lower memory to get assigned. This will result in OOB access and corruptions in memory, regions post the trailing boundary when updating tx hw desc events via dp_tx_hw_desc_update_evt. Fix is to use the appropriate memory size for tx_hw_desc_history and add NULL check in dp_tx_hw_desc_update_evt. Change-Id: I97af7898cf8bf1b24978d559f84a2a3d00227ed8 CRs-Fixed: 2952859 --- dp/wifi3.0/dp_main.c | 2 +- dp/wifi3.0/dp_tx.c | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/dp/wifi3.0/dp_main.c b/dp/wifi3.0/dp_main.c index 08c121aa7c..5d98f8077a 100644 --- a/dp/wifi3.0/dp_main.c +++ b/dp/wifi3.0/dp_main.c @@ -4541,7 +4541,7 @@ static void dp_soc_tx_hw_desc_history_attach(struct dp_soc *soc) { soc->tx_hw_desc_history = dp_context_alloc_mem( soc, DP_TX_HW_DESC_HIST_TYPE, - sizeof(struct dp_tx_hw_desc_evt)); + sizeof(*soc->tx_hw_desc_history)); if (soc->tx_hw_desc_history) soc->tx_hw_desc_history->index = 0; } diff --git a/dp/wifi3.0/dp_tx.c b/dp/wifi3.0/dp_tx.c index f14bf14325..475ad40280 100644 --- a/dp/wifi3.0/dp_tx.c +++ b/dp/wifi3.0/dp_tx.c @@ -1523,6 +1523,9 @@ dp_tx_hw_desc_update_evt(uint8_t *hal_tx_desc_cached, struct dp_tx_hw_desc_evt *evt; uint64_t idx = 0; + if (!soc->tx_hw_desc_history) + return; + idx = ++soc->tx_hw_desc_history->index; if (idx == DP_TX_HW_DESC_HIST_MAX) soc->tx_hw_desc_history->index = 0;