samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacld-3.0: Fix out-of-bounds in tx_stats

Browse Source 
The tx_stats array length num_entries can't be more than
param_buf->num_tx_stats from fw.
Otherwies out-of-bounds will happen when read wmi_tx_stats.

Change-Id: I7ab3c7cc7baef6d903ba6301622bd67efe52cebe
CRs-Fixed: 3104318
This commit is contained in:
chunquan
2022-01-07 15:43:31 +08:00
committed by Madan Koyyalamudi
parent 978d0ba909
commit 6d61b6f5df
1 changed files with 9 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
core/wma/src/wma_utils.c
View File

@@ -1147,9 +1147,9 @@ wma_fill_tx_stats(struct sir_wifi_ll_ext_stats *ll_stats,
struct sir_wifi_tx *tx_stats; struct sir_wifi_tx *tx_stats;
struct sir_wifi_ll_ext_peer_stats *peer_stats; struct sir_wifi_ll_ext_peer_stats *peer_stats;
uint32_t *tx_mpdu_aggr, *tx_succ_mcs, *tx_fail_mcs, *tx_delay; uint32_t *tx_mpdu_aggr, *tx_succ_mcs, *tx_fail_mcs, *tx_delay;
uint32_t len, dst_len, param_len, tx_mpdu_aggr_array_len, uint32_t len, dst_len, param_len, num_entries,
tx_succ_mcs_array_len, tx_fail_mcs_array_len, tx_mpdu_aggr_array_len, tx_succ_mcs_array_len,
tx_delay_array_len; tx_fail_mcs_array_len, tx_delay_array_len;
result = *buf; result = *buf;
dst_len = *buf_length; dst_len = *buf_length;
@@ -1228,6 +1228,12 @@ wma_fill_tx_stats(struct sir_wifi_ll_ext_stats *ll_stats,
return QDF_STATUS_E_FAILURE; return QDF_STATUS_E_FAILURE;
} }
num_entries = fix_param->num_peer_ac_tx_stats * WLAN_MAX_AC;
if (num_entries > param_buf->num_tx_stats) {
wma_err("tx stats invalid arg, %d", num_entries);
return QDF_STATUS_E_FAILURE;
}
for (i = 0; i < fix_param->num_peer_ac_tx_stats; i++) { for (i = 0; i < fix_param->num_peer_ac_tx_stats; i++) {
uint32_t peer_id = wmi_peer_tx[i].peer_id; uint32_t peer_id = wmi_peer_tx[i].peer_id;
struct sir_wifi_tx *ac; struct sir_wifi_tx *ac;