qcacmn: Add bound check

Add bound check for desc_id in tgt_mgmt_txrx_get_vdev_id_from_desc_id
and tgt_mgmt_txrx_get_nbuf_from_desc_id

Change-Id: Ie27c473061fb68f1d3486cbfe95c015be77203f9
CRs-Fixed: 2304610

umac/cmn_services/mgmt_txrx/core/src/wlan_mgmt_txrx_main.c

@@ -26,22 +26,16 @@
 #include "qdf_nbuf.h"
 
 QDF_STATUS wlan_mgmt_txrx_desc_pool_init(
-			struct mgmt_txrx_priv_pdev_context *mgmt_txrx_pdev_ctx,
-			uint32_t pool_size)
+			struct mgmt_txrx_priv_pdev_context *mgmt_txrx_pdev_ctx)
 {
 	uint32_t i;
 
-	if (!pool_size) {
-		mgmt_txrx_err("Invalid pool size %u given", pool_size);
-		qdf_assert_always(pool_size);
-		return QDF_STATUS_E_INVAL;
-	}
-
 	mgmt_txrx_info(
-			"mgmt_txrx ctx: %pK pdev: %pK"
-			"initialize mgmt desc pool of size %d",
-			mgmt_txrx_pdev_ctx, mgmt_txrx_pdev_ctx->pdev, pool_size);
-	mgmt_txrx_pdev_ctx->mgmt_desc_pool.pool = qdf_mem_malloc(pool_size *
+			"mgmt_txrx ctx: %pK pdev: %pK mgmt desc pool size %d",
+			mgmt_txrx_pdev_ctx, mgmt_txrx_pdev_ctx->pdev,
+			MGMT_DESC_POOL_MAX);
+	mgmt_txrx_pdev_ctx->mgmt_desc_pool.pool = qdf_mem_malloc(
+			MGMT_DESC_POOL_MAX *
 			sizeof(struct mgmt_txrx_desc_elem_t));
 
 	if (!mgmt_txrx_pdev_ctx->mgmt_desc_pool.pool) {
@@ -49,9 +43,9 @@ QDF_STATUS wlan_mgmt_txrx_desc_pool_init(
 		return QDF_STATUS_E_NOMEM;
 	}
 	qdf_list_create(&mgmt_txrx_pdev_ctx->mgmt_desc_pool.free_list,
-					pool_size);
+					MGMT_DESC_POOL_MAX);
 
-	for (i = 0; i < pool_size; i++) {
+	for (i = 0; i < MGMT_DESC_POOL_MAX; i++) {
 		mgmt_txrx_pdev_ctx->mgmt_desc_pool.pool[i].desc_id = i;
 		mgmt_txrx_pdev_ctx->mgmt_desc_pool.pool[i].in_use = false;
 		qdf_list_insert_front(

umac/cmn_services/mgmt_txrx/core/src/wlan_mgmt_txrx_main_i.h

@@ -199,15 +199,13 @@ struct mgmt_txrx_priv_pdev_context {
 /**
  * wlan_mgmt_txrx_desc_pool_init() - initializes mgmt. desc. pool
  * @mgmt_txrx_pdev_ctx: mgmt txrx pdev context
- * @pool_size: desc. pool size
  *
  * This function initializes the mgmt descriptor pool.
  *
  * Return: QDF_STATUS_SUCCESS - in case of success
  */
 QDF_STATUS wlan_mgmt_txrx_desc_pool_init(
-			struct mgmt_txrx_priv_pdev_context *mgmt_txrx_pdev_ctx,
-			uint32_t pool_size);
+			struct mgmt_txrx_priv_pdev_context *mgmt_txrx_pdev_ctx);
 
 /**
  * wlan_mgmt_txrx_desc_pool_deinit() - deinitializes mgmt. desc. pool

umac/cmn_services/mgmt_txrx/dispatcher/src/wlan_mgmt_txrx_tgt_api.c

@@ -1092,6 +1092,11 @@ qdf_nbuf_t tgt_mgmt_txrx_get_nbuf_from_desc_id(
 		mgmt_txrx_err("Mgmt txrx context empty for pdev %pK", pdev);
 		goto fail;
 	}
+	if (desc_id >= MGMT_DESC_POOL_MAX) {
+		mgmt_txrx_err("desc_id:%u is out of bounds", desc_id);
+		goto fail;
+	}
+
 	mgmt_desc = &mgmt_txrx_pdev_ctx->mgmt_desc_pool.pool[desc_id];
 	if (!mgmt_desc) {
 		mgmt_txrx_err("Mgmt descriptor unavailable for id %d pdev %pK",
@@ -1151,6 +1156,10 @@ uint8_t tgt_mgmt_txrx_get_vdev_id_from_desc_id(
 		mgmt_txrx_err("Mgmt txrx context empty for pdev %pK", pdev);
 		goto fail;
 	}
+	if (desc_id >= MGMT_DESC_POOL_MAX) {
+		mgmt_txrx_err("desc_id:%u is out of bounds", desc_id);
+		goto fail;
+	}
 
 	mgmt_desc = &mgmt_txrx_pdev_ctx->mgmt_desc_pool.pool[desc_id];
 	if (!mgmt_desc) {

umac/cmn_services/mgmt_txrx/dispatcher/src/wlan_mgmt_txrx_utils_api.c

@@ -169,8 +169,7 @@ static QDF_STATUS wlan_mgmt_txrx_pdev_obj_create_notification(
 
 	mgmt_txrx_pdev_ctx->pdev = pdev;
 
-	status = wlan_mgmt_txrx_desc_pool_init(mgmt_txrx_pdev_ctx,
-					       MGMT_DESC_POOL_MAX);
+	status = wlan_mgmt_txrx_desc_pool_init(mgmt_txrx_pdev_ctx);
 	if (status != QDF_STATUS_SUCCESS) {
 		mgmt_txrx_err(
 			"Failed to initialize mgmt desc. pool with status: %u",