Home Explore Help
Sign In
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

qcacmn: correct casting and array write index

- correct uint32_t* casting to uint16_t* given that it can overwrite values
after is dereferenced
- correct check for "for loop" max iteration as it could pass and
overwrite max array size.

Change-Id: Id2b02d1eea8c4ce4d962160bea99358fe3ab5cf7
CRs-Fixed: 3622399
Ruben Columbus 1 year ago
parent
ce99e4ef10
commit
ab8c55ec38
2 changed files with 8 additions and 5 deletions
Split View Show Diff Stats
  1. 3 0
      dp/wifi3.0/monitor/2.0/dp_tx_mon_status_2.0.c
  2. 5 5
      hal/wifi3.0/be/hal_be_generic_api.h

+ 3 - 0
dp/wifi3.0/monitor/2.0/dp_tx_mon_status_2.0.c
View File 

@@ -133,6 +133,9 @@ dp_tx_mon_status_queue_free(struct dp_pdev *pdev,
 
 	uint8_t i = tx_mon_be->cur_frag_q_idx;
 
 	uint32_t end_offset = 0;
 
 
+	if (last_frag_q_idx > MAX_STATUS_BUFFER_IN_PPDU)
 
+		last_frag_q_idx = MAX_STATUS_BUFFER_IN_PPDU;
 
+
 
 	for (; i < last_frag_q_idx; i++) {
 
 		status_frag = tx_mon_be->frag_q_vec[i].frag_buf;

+ 5 - 5
hal/wifi3.0/be/hal_be_generic_api.h
View File 

@@ -500,7 +500,7 @@ hal_txmon_parse_pcu_ppdu_setup_init(void *tx_tlv,
 
 	/* protection frame address 1 */
 
 	*(uint32_t *)&prot_status_info->addr1[0] =
 
 		pcu_init->protection_frame_ad1_31_0;
 
-	*(uint32_t *)&prot_status_info->addr1[4] =
 
+	*(uint16_t *)&prot_status_info->addr1[4] =
 
 		pcu_init->protection_frame_ad1_47_32;
 
 	/* protection frame address 2 */
 
 	*(uint32_t *)&prot_status_info->addr2[0] =
 
@@ -510,7 +510,7 @@ hal_txmon_parse_pcu_ppdu_setup_init(void *tx_tlv,
 
 	/* protection frame address 3 */
 
 	*(uint32_t *)&prot_status_info->addr3[0] =
 
 		pcu_init->protection_frame_ad3_31_0;
 
-	*(uint32_t *)&prot_status_info->addr3[4] =
 
+	*(uint16_t *)&prot_status_info->addr3[4] =
 
 		pcu_init->protection_frame_ad3_47_32;
 
 	/* protection frame address 4 */
 
 	*(uint32_t *)&prot_status_info->addr4[0] =
 
@@ -539,7 +539,7 @@ hal_txmon_parse_peer_entry(void *tx_tlv,
 
 
 	*(uint32_t *)&tx_status_info->addr1[0] =
 
 				peer_entry->mac_addr_a_31_0;
 
-	*(uint32_t *)&tx_status_info->addr1[4] =
 
+	*(uint16_t *)&tx_status_info->addr1[4] =
 
 				peer_entry->mac_addr_a_47_32;
 
 	*(uint32_t *)&tx_status_info->addr2[0] =
 
 				peer_entry->mac_addr_b_15_0;
 
@@ -2164,7 +2164,7 @@ hal_txmon_status_parse_tlv_generic_be(void *data_ppdu_info,
 
 					HAL_TX_DESC_GET_64(tx_tlv,
 
 							   RX_FRAME_BITMAP_ACK,
 
 							   ADDR1_31_0);
 
-		*(uint32_t *)&tx_status_info->addr2[4] =
 
+		*(uint16_t *)&tx_status_info->addr2[4] =
 
 					HAL_TX_DESC_GET_64(tx_tlv,
 
 							   RX_FRAME_BITMAP_ACK,
 
 							   ADDR1_47_32);
 
@@ -2232,7 +2232,7 @@ hal_txmon_status_parse_tlv_generic_be(void *data_ppdu_info,
 
 				HAL_TX_DESC_GET_64(tx_tlv,
 
 						   RX_FRAME_1K_BITMAP_ACK,
 
 						   ADDR1_31_0);
 
-		*(uint32_t *)&tx_status_info->addr1[4] =
 
+		*(uint16_t *)&tx_status_info->addr1[4] =
 
 				HAL_TX_DESC_GET_64(tx_tlv,
 
 						   RX_FRAME_1K_BITMAP_ACK,
 
 						   ADDR1_47_32);