From 7297c338d7eb09adfb1e1b015e023bb3d8cec1e8 Mon Sep 17 00:00:00 2001 From: Amit Mehta Date: Tue, 24 Jan 2023 21:21:55 -0800 Subject: [PATCH] qcacld-3.0: Add check to avoid OOB access Currently while updating EAPOL stats, there is no check for subtype greater than array size, which can result in OOB access. To fix the issue add additional check for subtype <= EAPOL M4 to avoid OOB access. Change-Id: I906ce9166b7a0202335403c77dc6bcd135dea663 CRs-Fixed: 3387939 --- components/dp/core/src/wlan_dp_txrx.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/components/dp/core/src/wlan_dp_txrx.c b/components/dp/core/src/wlan_dp_txrx.c index 13a7db6a8f..46ecdc3702 100644 --- a/components/dp/core/src/wlan_dp_txrx.c +++ b/components/dp/core/src/wlan_dp_txrx.c @@ -796,7 +796,8 @@ void dp_sta_notify_tx_comp_cb(qdf_nbuf_t nbuf, void *ctx, uint16_t flag) case QDF_NBUF_CB_PACKET_TYPE_EAPOL: subtype = qdf_nbuf_get_eapol_subtype(nbuf); if (!(flag & BIT(QDF_TX_RX_STATUS_OK)) && - subtype != QDF_PROTO_INVALID) + subtype != QDF_PROTO_INVALID && + subtype <= QDF_PROTO_EAPOL_M4) ++dp_intf->dp_stats.eapol_stats. tx_noack_cnt[subtype - QDF_PROTO_EAPOL_M1]; break;