Home Explore Help
Sign In
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

qcacmn: Fix potential buffer overflow dp_rx_defrag_waitlist_flush

Currently variable "tid" is from message, which is used
directly as array size which causes buffer over-write.

To address this issue add check for the array size.

Change-Id: I61ffaef69d97936774d89ee4e745ab509d77adb5
CRs-Fixed: 2200862
jitiphil 7 years ago
parent
3051831c3e
commit
301a242a31
1 changed files with 6 additions and 0 deletions
Split View Show Diff Stats
  1. 6 0
      dp/wifi3.0/dp_rx_defrag.c

+ 6 - 0
dp/wifi3.0/dp_rx_defrag.c
View File 

@@ -134,6 +134,12 @@ void dp_rx_defrag_waitlist_flush(struct dp_soc *soc)
 
 			break;
 
 
 		tid = rx_reorder->tid;
 
+		if (tid >= DP_MAX_TIDS) {
 
+			QDF_TRACE(QDF_MODULE_ID_DP, QDF_TRACE_LEVEL_ERROR,
 
+				  "%s: TID out of bounds: %d", __func__, tid);
 
+			qdf_assert(0);
 
+			continue;
 
+		}
 
 		/* get index 0 of the rx_reorder array */
 
 		rx_reorder_base = rx_reorder - tid;
 
 		peer =