qcacmn: Add check for buffer overflow and null pointer dereference

There is a chance for null pointer dereference for
num_eht_user_info_valid and array out of bounds for eht_user_info.

Add checks for both the cases as it may cause crash.

Change-Id: Icb5235612a1225b9991c99519b5ee49536c577bc
CRs-Fixed: 3426873
This commit is contained in:
Aravind Kishore Sukla
2023-03-07 11:53:41 +05:30
committed by Madan Koyyalamudi
parent 9064b44469
commit a3a4e67eed
2 changed files with 6 additions and 2 deletions

View File

@@ -242,6 +242,8 @@ enum wsc_op_code {
#define MAX_CHAIN 8
#define QDF_MON_STATUS_MPDU_FCS_BMAP_NWORDS 8
#define EHT_USER_INFO_LEN 4
/**
* typedef qdf_nbuf_queue_t - Platform independent packet queue abstraction
*/
@@ -512,7 +514,7 @@ struct mon_rx_status {
uint32_t usig_mask;
uint32_t eht_known;
uint32_t eht_data[6];
uint32_t eht_user_info[4];
uint32_t eht_user_info[EHT_USER_INFO_LEN];
#ifdef QCA_UNDECODED_METADATA_SUPPORT
uint32_t phyrx_abort:1,
phyrx_abort_reason:8,

View File

@@ -5120,7 +5120,9 @@ qdf_nbuf_update_radiotap_eht_flags(struct mon_rx_status *rx_status,
put_unaligned_le32(rx_status->eht_data[5], &rtap_buf[rtap_len]);
rtap_len += 4;
for (user = 0; user < rx_status->num_eht_user_info_valid; user++) {
for (user = 0; user < EHT_USER_INFO_LEN &&
rx_status->num_eht_user_info_valid &&
user < rx_status->num_eht_user_info_valid; user++) {
put_unaligned_le32(rx_status->eht_user_info[user],
&rtap_buf[rtap_len]);
rtap_len += 4;