From a70123f9a2568cfdbc88f483e5066c286e554eb8 Mon Sep 17 00:00:00 2001
From: Rongjing Liao <liaor@codeaurora.org>
Date: Wed, 18 Mar 2020 14:10:55 +0800
Subject: [PATCH] qcacmn: add argument sanity check to avoid OOB

In function 'target_if_vdev_mgr_multi_vdev_restart_get_ref',
'param->num_vdevs' may have chance to hold values larger than
WLAN_UMAC_PDEV_MAX_VDEVS which will result in OOB
when access array 'vdev_list' and array 'vdev_timer_started'.

This change add sanity check for 'param->num_vdevs'to avoid
OOB.

Change-Id: Iae431fdc7006fe8c80d15d400d8a0423e9284eb7
CRs-Fixed: 2644122
---
 target_if/mlme/vdev_mgr/src/target_if_vdev_mgr_tx_ops.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/target_if/mlme/vdev_mgr/src/target_if_vdev_mgr_tx_ops.c b/target_if/mlme/vdev_mgr/src/target_if_vdev_mgr_tx_ops.c
index e28f2c7ffd..5e979de0da 100644
--- a/target_if/mlme/vdev_mgr/src/target_if_vdev_mgr_tx_ops.c
+++ b/target_if/mlme/vdev_mgr/src/target_if_vdev_mgr_tx_ops.c
@@ -970,6 +970,12 @@ static QDF_STATUS target_if_vdev_mgr_multiple_vdev_restart_req_cmd(
 		return QDF_STATUS_E_INVAL;
 	}
 
+	if (param->num_vdevs > WLAN_UMAC_PDEV_MAX_VDEVS) {
+		mlme_err("param->num_vdevs: %u exceed the limit",
+			 param->num_vdevs);
+		return QDF_STATUS_E_INVAL;
+	}
+
 	last_vdev_idx = target_if_vdev_mgr_multi_vdev_restart_get_ref(
 							pdev, param,
 							vdev_list,