From 35b9bf6c440ac947fb7210d559c9570be79f4c93 Mon Sep 17 00:00:00 2001 From: Yeshwanth Sriram Guntuka Date: Fri, 7 May 2021 22:51:21 +0530 Subject: [PATCH] qcacmn: Fix possible OOB access of rx_refill_ring_history In monitor mode, when the channel is set to any 2G band channel the mac_id passed to dp_mon_process API is 1. As part of dp_rx_buffers_replenish, refill history is logged and the mac_id is used to index into the history array. The array is of size 1 and OOB access would happen when ring_num which is the mac_id, passed in is 1. Fix is to pass the pdev->lmac_id instead to dp_rx_refill_ring_record_entry and add ring_num sanity check. Change-Id: Id824ec8b01e7923ad74771d5f34a25f5fccb65f3 CRs-Fixed: 2939544 --- dp/wifi3.0/dp_rx.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/dp/wifi3.0/dp_rx.c b/dp/wifi3.0/dp_rx.c index 6aef28eccb..752e457c71 100644 --- a/dp/wifi3.0/dp_rx.c +++ b/dp/wifi3.0/dp_rx.c @@ -217,7 +217,8 @@ dp_rx_refill_ring_record_entry(struct dp_soc *soc, uint8_t ring_num, uint32_t tp; uint32_t hp; - if (qdf_unlikely(!soc->rx_refill_ring_history[ring_num])) + if (qdf_unlikely(ring_num >= MAX_PDEV_CNT || + !soc->rx_refill_ring_history[ring_num])) return; idx = dp_history_get_next_index(&soc->rx_refill_ring_history[ring_num]->index, @@ -460,7 +461,7 @@ QDF_STATUS __dp_rx_buffers_replenish(struct dp_soc *dp_soc, uint32_t mac_id, dp_rx_refill_buff_pool_unlock(dp_soc); - dp_rx_refill_ring_record_entry(dp_soc, mac_id, rxdma_srng, + dp_rx_refill_ring_record_entry(dp_soc, dp_pdev->lmac_id, rxdma_srng, num_req_buffers, count); hal_srng_access_end(dp_soc->hal_soc, rxdma_srng); @@ -3307,8 +3308,8 @@ dp_pdev_rx_buffers_attach(struct dp_soc *dp_soc, uint32_t mac_id, desc_list = next; } - dp_rx_refill_ring_record_entry(dp_soc, mac_id, rxdma_srng, - nr_nbuf, nr_nbuf); + dp_rx_refill_ring_record_entry(dp_soc, dp_pdev->lmac_id, + rxdma_srng, nr_nbuf, nr_nbuf); hal_srng_access_end(dp_soc->hal_soc, rxdma_srng); }