From 7993262fbee63a9838946ab56cdc27dbcbff0325 Mon Sep 17 00:00:00 2001
From: Edayilliam Jayadev <quic_ejayadev@quicinc.com>
Date: Thu, 7 Apr 2022 12:01:35 +0530
Subject: [PATCH] qcacmn: Add sanity checks on reo algorithm entry

Add following checks in the entry to management Rx REO algorithm entry.

        1. REO parameter are valid
        2. Frame type is management

CRs-Fixed: 3166096
Change-Id: I171fc51c1dfa948e32608aa3a1bb05fc6cb2197d
---
 .../mgmt_txrx/core/src/wlan_mgmt_txrx_rx_reo.c      | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/umac/cmn_services/mgmt_txrx/core/src/wlan_mgmt_txrx_rx_reo.c b/umac/cmn_services/mgmt_txrx/core/src/wlan_mgmt_txrx_rx_reo.c
index 17df50722b..17bd254d68 100644
--- a/umac/cmn_services/mgmt_txrx/core/src/wlan_mgmt_txrx_rx_reo.c
+++ b/umac/cmn_services/mgmt_txrx/core/src/wlan_mgmt_txrx_rx_reo.c
@@ -2645,6 +2645,9 @@ wlan_mgmt_rx_reo_algo_entry(struct wlan_objmgr_pdev *pdev,
 {
 	struct mgmt_rx_reo_context *reo_ctx;
 	QDF_STATUS ret;
+	uint8_t frame_type;
+	uint8_t frame_subtype;
+	struct ieee80211_frame *wh;
 
 	if (!is_queued)
 		return QDF_STATUS_E_NULL_VALUE;
@@ -2751,6 +2754,16 @@ wlan_mgmt_rx_reo_algo_entry(struct wlan_objmgr_pdev *pdev,
 	 */
 	qdf_spin_lock(&reo_ctx->reo_algo_entry_lock);
 
+	if ((desc->type == MGMT_RX_REO_FRAME_DESC_HOST_CONSUMED_FRAME ||
+	     desc->type == MGMT_RX_REO_FRAME_DESC_FW_CONSUMED_FRAME) &&
+	    !desc->rx_params->reo_params->valid)
+		qdf_assert_always(0);
+
+	wh = (struct ieee80211_frame *)qdf_nbuf_data(desc->nbuf);
+	frame_type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
+	frame_subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
+	qdf_assert_always(mgmt_type == IEEE80211_FC0_TYPE_MGT);
+
 	/* Update the Host snapshot */
 	ret = wlan_mgmt_rx_reo_update_host_snapshot(
 						pdev,