From a3a4e67eedd539e76951f8b16b6c1cea9b056c68 Mon Sep 17 00:00:00 2001
From: Aravind Kishore Sukla <quic_asukla@quicinc.com>
Date: Tue, 7 Mar 2023 11:53:41 +0530
Subject: [PATCH] qcacmn: Add check for buffer overflow and null pointer
 dereference

There is a chance for null pointer dereference for
num_eht_user_info_valid and array out of bounds for eht_user_info.

Add checks for both the cases as it may cause crash.

Change-Id: Icb5235612a1225b9991c99519b5ee49536c577bc
CRs-Fixed: 3426873
---
 qdf/inc/qdf_nbuf.h       | 4 +++-
 qdf/linux/src/qdf_nbuf.c | 4 +++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/qdf/inc/qdf_nbuf.h b/qdf/inc/qdf_nbuf.h
index daaec0e495..e4e52a124c 100644
--- a/qdf/inc/qdf_nbuf.h
+++ b/qdf/inc/qdf_nbuf.h
@@ -242,6 +242,8 @@ enum wsc_op_code {
 #define MAX_CHAIN 8
 #define QDF_MON_STATUS_MPDU_FCS_BMAP_NWORDS 8
 
+#define EHT_USER_INFO_LEN 4
+
 /**
  * typedef qdf_nbuf_queue_t - Platform independent packet queue abstraction
  */
@@ -512,7 +514,7 @@ struct mon_rx_status {
 	uint32_t usig_mask;
 	uint32_t eht_known;
 	uint32_t eht_data[6];
-	uint32_t eht_user_info[4];
+	uint32_t eht_user_info[EHT_USER_INFO_LEN];
 #ifdef QCA_UNDECODED_METADATA_SUPPORT
 	uint32_t phyrx_abort:1,
 		 phyrx_abort_reason:8,
diff --git a/qdf/linux/src/qdf_nbuf.c b/qdf/linux/src/qdf_nbuf.c
index d247f34869..29dbe426fd 100644
--- a/qdf/linux/src/qdf_nbuf.c
+++ b/qdf/linux/src/qdf_nbuf.c
@@ -5120,7 +5120,9 @@ qdf_nbuf_update_radiotap_eht_flags(struct mon_rx_status *rx_status,
 	put_unaligned_le32(rx_status->eht_data[5], &rtap_buf[rtap_len]);
 	rtap_len += 4;
 
-	for (user = 0; user < rx_status->num_eht_user_info_valid; user++) {
+	for (user = 0; user < EHT_USER_INFO_LEN &&
+	     rx_status->num_eht_user_info_valid &&
+	     user < rx_status->num_eht_user_info_valid; user++) {
 		put_unaligned_le32(rx_status->eht_user_info[user],
 				   &rtap_buf[rtap_len]);
 		rtap_len += 4;