qcacmn: Fix bounds check in populate_mac_phy_capability

In populate_mac_phy_capability, bounds on an array are checked after writing to the array. This leads to writing to one past the end of the array under error conditions. Check the bounds of the array before, rather than after, writing to it in populate_mac_phy_capability. Change-Id: I34c7415b8fb925bea5a715214e3aa3ac8a4bacc8 CRs-Fixed: 2059155
2017-06-09 11:37:19 -07:00
commit 69280df6ee
--- a/target_if/init_deinit/src/service_ready_event_handler.c
+++ b/target_if/init_deinit/src/service_ready_event_handler.c
@@ -168,6 +168,12 @@ static int populate_mac_phy_capability(void *handle, uint8_t *evt,

 	mac_phy_id = 0;
 	while (phy_bit_map) {
+		if (*total_mac_phy >= PSOC_MAX_MAC_PHY_CAP) {
+			WMI_LOGE("total mac phy exceeds max limit %d",
+				*total_mac_phy);
+			return -EINVAL;
+		}
+
 		status = wmi_extract_mac_phy_cap_service_ready_ext(handle,
 				evt, hw_mode_id, mac_phy_id,
 				&(service_param->mac_phy_cap[*total_mac_phy]));
@@ -175,12 +181,8 @@ static int populate_mac_phy_capability(void *handle, uint8_t *evt,
 			WMI_LOGE("failed to parse mac phy capability");
 			return qdf_status_to_os_return(status);
 		}
+
 		(*total_mac_phy)++;
-		if (*total_mac_phy > PSOC_MAX_MAC_PHY_CAP) {
-			WMI_LOGE("total mac phy exceeds max limit %d",
-				*total_mac_phy);
-			return -EINVAL;
-		}
 		phy_bit_map &= (phy_bit_map - 1);
 		mac_phy_id++;
 	}