Home Explore Help
Sign In
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

qcacld-3.0: Fix datapath defects detected by Static code analyser

qcacld-2.0 to qcacld-3.0 propagation

Line 118: CID 50610 (#3 of 3): Out-of-bounds access (OVERRUN)
Line 200: CID 50680 (#1 of 1): Out-of-bounds read (OVERRUN)
Line 367: CID 50732 (#1 of 1): Out-of-bounds write (OVERRUN)
add TID validation check in RX_IND to avoid tid >19 scenario.

Change-Id: I32a3339902e231a8193fb8ee984ef029e24bc7e5
CRs-Fixed: 836067
DARAM SUDHA 10 years ago
parent
15df0cf75e
commit
5dabfc7759
3 changed files with 21 additions and 5 deletions
Split View Show Diff Stats
  1. 5 0
      core/dp/htt/htt_t2h.c
  2. 1 2
      core/dp/htt/htt_tx.c
  3. 15 3
      core/dp/txrx/ol_cfg.c

+ 5 - 0
core/dp/htt/htt_t2h.c
View File 

@@ -475,6 +475,11 @@ void htt_t2h_msg_handler(void *context, HTC_PACKET *pkt)
 
 		peer_id = HTT_RX_IND_PEER_ID_GET(*msg_word);
 
 		tid = HTT_RX_IND_EXT_TID_GET(*msg_word);
 
 
+		if (tid >= OL_TXRX_NUM_EXT_TIDS) {
 
+			cdf_print("HTT_T2H_MSG_TYPE_RX_IND, invalid tid %d\n",
 
+				tid);
 
+			break;
 
+		}
 
 		num_msdu_bytes =
 
 			HTT_RX_IND_FW_RX_DESC_BYTES_GET(
 
 				*(msg_word + 2 + HTT_RX_PPDU_DESC_SIZE32));

+ 1 - 2
core/dp/htt/htt_tx.c
View File 

@@ -252,8 +252,6 @@ static inline void htt_tx_desc_get_size(struct htt_pdev_t *pdev)
 
 		+ (ol_cfg_netbuf_frags_max(pdev->ctrl_pdev) + 1) * 8
 
 		   /* 2x uint32_t */
 
 		+ 4; /* uint32_t fragmentation list terminator */
 
-	if (pdev->tx_descs.size < sizeof(uint32_t *))
 
-		pdev->tx_descs.size = sizeof(uint32_t *);
 
 }
 
 
 /**
 
@@ -320,6 +318,7 @@ int htt_tx_attach(struct htt_pdev_t *pdev, int desc_pool_elems)
 
 	uint16_t num_page, num_desc_per_page;
 
 
 	htt_tx_desc_get_size(pdev);
 
+
 
 	/*
 
 	 * Make sure tx_descs.size is a multiple of 4-bytes.
 
 	 * It should be, but round up just to be sure.

+ 15 - 3
core/dp/txrx/ol_cfg.c
View File 

@@ -56,6 +56,20 @@ void ol_tx_set_flow_control_parameters(struct txrx_pdev_cfg_t *cfg_ctx,
 
 }
 
 #endif
 
 
+#if CFG_TGT_DEFAULT_RX_SKIP_DEFRAG_TIMEOUT_DUP_DETECTION_CHECK
 
+static inline
 
+uint8_t ol_defrag_timeout_check(void)
 
+{
 
+	return 1;
 
+}
 
+#else
 
+static inline
 
+uint8_t ol_defrag_timeout_check(void)
 
+{
 
+	return 0;
 
+}
 
+#endif
 
+
 
 /* FIX THIS -
 
  * For now, all these configuration parameters are hardcoded.
 
  * Many of these should actually be determined dynamically instead.
 
@@ -79,9 +93,7 @@ ol_pdev_handle ol_pdev_cfg_attach(cdf_device_t osdev,
 
 	cfg_ctx->tx_download_size = 16;
 
 	/* temporarily diabled PN check for Riva/Pronto */
 
 	cfg_ctx->rx_pn_check = 1;
 
-#if CFG_TGT_DEFAULT_RX_SKIP_DEFRAG_TIMEOUT_DUP_DETECTION_CHECK
 
-	cfg_ctx->defrag_timeout_check = 1;
 
-#endif
 
+	cfg_ctx->defrag_timeout_check = ol_defrag_timeout_check();
 
 	cfg_ctx->max_peer_id = 511;
 
 	cfg_ctx->max_vdev = CFG_TGT_NUM_VDEV;
 
 	cfg_ctx->pn_rx_fwd_check = 1;