From 4efe1fa42d90c35139c4ea379d85e2044323c44a Mon Sep 17 00:00:00 2001
From: Harprit Chhabada <harpritchhabada@codeaurora.org>
Date: Fri, 28 Sep 2018 12:06:49 -0700
Subject: [PATCH] qcacmn: Add bound check for num_per_chain_rssi_stats

Add bound check rssi_event->num_per_chain_rssi_stats in
extract_all_stats_counts_tlv().

ev->num_chain_rssi_stats in
target_if_cp_stats_extract_vdev_chain_rssi_stats()
is derived from rssi_event->num_per_chain_rssi_stats
and is used as limit in for loop.

As length was never checked multiple qdf_mem_copy calls in
wmi_extract_per_chain_rssi_stats() used in
target_if_cp_stats_extract_vdev_chain_rssi_stats()
will result in an OOB issue.

Change-Id: I204744e1435e687e33f2165744a92cdb8b975a51
CRs-Fixed: 2322298
---
 wmi_unified_tlv.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/wmi_unified_tlv.c b/wmi_unified_tlv.c
index 336bc441da..bcb976b706 100644
--- a/wmi_unified_tlv.c
+++ b/wmi_unified_tlv.c
@@ -19085,6 +19085,12 @@ static QDF_STATUS extract_all_stats_counts_tlv(wmi_unified_t wmi_handle,
 	    WMITLV_GET_TLVLEN(rssi_event->tlv_header))
 		return QDF_STATUS_SUCCESS;
 
+	if (rssi_event->num_per_chain_rssi_stats >=
+	    WMITLV_GET_TLVLEN(rssi_event->tlv_header)) {
+		WMI_LOGE("num_per_chain_rssi_stats:%u is out of bounds",
+			 rssi_event->num_per_chain_rssi_stats);
+		return QDF_STATUS_E_INVAL;
+	}
 	stats_param->num_rssi_stats = rssi_event->num_per_chain_rssi_stats;
 
 	return QDF_STATUS_SUCCESS;