qcacmn: Fix possible OOB access of rx_refill_ring_history
In monitor mode, when the channel is set to any 2G band channel the mac_id passed to dp_mon_process API is 1. As part of dp_rx_buffers_replenish, refill history is logged and the mac_id is used to index into the history array. The array is of size 1 and OOB access would happen when ring_num which is the mac_id, passed in is 1. Fix is to pass the pdev->lmac_id instead to dp_rx_refill_ring_record_entry and add ring_num sanity check. Change-Id: Id824ec8b01e7923ad74771d5f34a25f5fccb65f3 CRs-Fixed: 2939544
This commit is contained in:
Yeshwanth Sriram Guntuka
committed by
Madan Koyyalamudi
Madan Koyyalamudi
parent
38f2c1baf2
commit
35b9bf6c44
@@ -217,7 +217,8 @@ dp_rx_refill_ring_record_entry(struct dp_soc *soc, uint8_t ring_num,
|
||||
uint32_t tp;
|
||||
uint32_t hp;
|
||||
|
||||
if (qdf_unlikely(!soc->rx_refill_ring_history[ring_num]))
|
||||
if (qdf_unlikely(ring_num >= MAX_PDEV_CNT ||
|
||||
!soc->rx_refill_ring_history[ring_num]))
|
||||
return;
|
||||
|
||||
idx = dp_history_get_next_index(&soc->rx_refill_ring_history[ring_num]->index,
|
||||
@@ -460,7 +461,7 @@ QDF_STATUS __dp_rx_buffers_replenish(struct dp_soc *dp_soc, uint32_t mac_id,
|
||||
|
||||
dp_rx_refill_buff_pool_unlock(dp_soc);
|
||||
|
||||
dp_rx_refill_ring_record_entry(dp_soc, mac_id, rxdma_srng,
|
||||
dp_rx_refill_ring_record_entry(dp_soc, dp_pdev->lmac_id, rxdma_srng,
|
||||
num_req_buffers, count);
|
||||
|
||||
hal_srng_access_end(dp_soc->hal_soc, rxdma_srng);
|
||||
@@ -3307,8 +3308,8 @@ dp_pdev_rx_buffers_attach(struct dp_soc *dp_soc, uint32_t mac_id,
|
||||
desc_list = next;
|
||||
}
|
||||
|
||||
dp_rx_refill_ring_record_entry(dp_soc, mac_id, rxdma_srng,
|
||||
nr_nbuf, nr_nbuf);
|
||||
dp_rx_refill_ring_record_entry(dp_soc, dp_pdev->lmac_id,
|
||||
rxdma_srng, nr_nbuf, nr_nbuf);
|
||||
hal_srng_access_end(dp_soc->hal_soc, rxdma_srng);
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user