qcacmn: Fix NULL pointer derefence and possible OOB issue
Add validity check for possible OOB and NULL pointer dereference Change-Id: Icc51ee44271b575bf6b7a6fb83f074c8729cd887 CRs-Fixed: 2347448
Этот коммит содержится в:
Alok Kumar
коммит произвёл
nshrivas
nshrivas
родитель
58b8be02d1
Коммит
80488cef11
@@ -3588,14 +3588,19 @@ inline unsigned int hif_get_dst_ring_read_index(struct hif_softc *scn,
|
||||
static inline void hif_config_rri_on_ddr(struct hif_softc *scn)
|
||||
{
|
||||
unsigned int i;
|
||||
qdf_dma_addr_t paddr_rri_on_ddr;
|
||||
uint32_t high_paddr, low_paddr;
|
||||
qdf_dma_addr_t paddr_rri_on_ddr = 0;
|
||||
|
||||
scn->vaddr_rri_on_ddr =
|
||||
(uint32_t *)qdf_mem_alloc_consistent(scn->qdf_dev,
|
||||
scn->qdf_dev->dev, (CE_COUNT*sizeof(uint32_t)),
|
||||
&paddr_rri_on_ddr);
|
||||
|
||||
if (!scn->vaddr_rri_on_ddr) {
|
||||
HIF_DBG("dmaable page alloc fail");
|
||||
return;
|
||||
}
|
||||
|
||||
scn->paddr_rri_on_ddr = paddr_rri_on_ddr;
|
||||
low_paddr = BITS0_TO_31(paddr_rri_on_ddr);
|
||||
high_paddr = BITS32_TO_35(paddr_rri_on_ddr);
|
||||
|
||||
@@ -1583,6 +1583,12 @@ ssize_t hif_dump_desc_event(struct hif_softc *scn, char *buf)
|
||||
|
||||
ce_hist = &scn->hif_ce_desc_hist;
|
||||
|
||||
if (ce_hist->hist_id >= CE_COUNT_MAX ||
|
||||
ce_hist->hist_index >= HIF_CE_HISTORY_MAX) {
|
||||
qdf_print("Invalid values");
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
hist_ev =
|
||||
(struct hif_ce_desc_event *)ce_hist->hist_ev[ce_hist->hist_id];
|
||||
|
||||
@@ -1593,12 +1599,6 @@ ssize_t hif_dump_desc_event(struct hif_softc *scn, char *buf)
|
||||
|
||||
event = &hist_ev[ce_hist->hist_index];
|
||||
|
||||
if ((ce_hist->hist_id >= CE_COUNT_MAX) ||
|
||||
(ce_hist->hist_index >= HIF_CE_HISTORY_MAX)) {
|
||||
qdf_print("Invalid values");
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
qdf_log_timestamp_to_secs(event->time, &secs, &usecs);
|
||||
|
||||
len += snprintf(buf, PAGE_SIZE - len,
|
||||
@@ -1658,8 +1658,8 @@ ssize_t hif_input_desc_trace_buf_index(struct hif_softc *scn,
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
if (sscanf(buf, "%d %d", &ce_hist->hist_id,
|
||||
&ce_hist->hist_index) != 2) {
|
||||
if (sscanf(buf, "%u %u", (unsigned int *)&ce_hist->hist_id,
|
||||
(unsigned int *)&ce_hist->hist_index) != 2) {
|
||||
pr_err("%s: Invalid input value.\n", __func__);
|
||||
return -EINVAL;
|
||||
}
|
||||
@@ -1703,7 +1703,8 @@ ssize_t hif_ce_en_desc_hist(struct hif_softc *scn, const char *buf, size_t size)
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
if (sscanf(buf, "%d %d", &ce_id, &cfg) != 2) {
|
||||
if (sscanf(buf, "%u %u", (unsigned int *)&ce_id,
|
||||
(unsigned int *)&cfg) != 2) {
|
||||
pr_err("%s: Invalid input: Enter CE Id<sp><1/0>.\n", __func__);
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
Ссылка в новой задаче
Block a user