samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacmn: Add length check for twt additional parameters

Browse Source 
Add length check in additional parameters extracted from
WMI_TWT_ADD_DIALOG_COMPLETE_EVENTID.

CRs-Fixed: 2755498
Change-Id: I913547bad8a1f823a01ff36f22dbe3d305e533bc
This commit is contained in:
Rajasekaran Kalidoss
2020-08-14 12:54:02 +05:30
committed by snandini
parent 8841346dcb
commit afac78b33d
4 changed files with 32 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
wmi/inc/wmi_unified_priv.h
View File

@@ -2183,8 +2183,8 @@ QDF_STATUS (*extract_twt_add_dialog_comp_event)(wmi_unified_t wmi_handle,
QDF_STATUS (*extract_twt_add_dialog_comp_additional_params) QDF_STATUS (*extract_twt_add_dialog_comp_additional_params)
( (
wmi_unified_t wmi_handle, uint8_t *evt_buf, wmi_unified_t wmi_handle, uint8_t *evt_buf,
struct wmi_twt_add_dialog_additional_params *additional_params, uint32_t evt_buf_len, uint32_t idx,
uint32_t idx struct wmi_twt_add_dialog_additional_params *additional_params
); );
QDF_STATUS (*extract_twt_del_dialog_comp_event)(wmi_unified_t wmi_handle, QDF_STATUS (*extract_twt_del_dialog_comp_event)(wmi_unified_t wmi_handle,

7
wmi/inc/wmi_unified_twt_api.h
View File

@@ -164,15 +164,16 @@ QDF_STATUS wmi_extract_twt_add_dialog_comp_event(
* twt parameters, as part of add dialog completion event * twt parameters, as part of add dialog completion event
* @wmi_hdl: wmi handle * @wmi_hdl: wmi handle
* @evt_buf: Pointer event buffer * @evt_buf: Pointer event buffer
* @additional_params: additional parameters to extract * @evt_buf_len: length of the add dialog event buffer
* @idx: index of num_twt_params to extract * @idx: index of num_twt_params to extract
* @additional_params: additional parameters to extract
* *
* Return: QDF_STATUS_SUCCESS on success and QDF_STATUS_E_FAILURE for failure * Return: QDF_STATUS_SUCCESS on success and QDF_STATUS_E_FAILURE for failure
*/ */
QDF_STATUS wmi_extract_twt_add_dialog_comp_additional_params( QDF_STATUS wmi_extract_twt_add_dialog_comp_additional_params(
wmi_unified_t wmi_handle, uint8_t *evt_buf, wmi_unified_t wmi_handle, uint8_t *evt_buf,
struct wmi_twt_add_dialog_additional_params *additional_params, uint32_t evt_buf_len, uint32_t idx,
uint32_t idx); struct wmi_twt_add_dialog_additional_params *additional_params);
/** /**
* wmi_extract_twt_del_dialog_comp_event() - Extract WMI event params for TWT * wmi_extract_twt_del_dialog_comp_event() - Extract WMI event params for TWT

7
wmi/src/wmi_unified_twt_api.c
View File

@@ -151,13 +151,14 @@ QDF_STATUS wmi_extract_twt_add_dialog_comp_event(
QDF_STATUS wmi_extract_twt_add_dialog_comp_additional_params( QDF_STATUS wmi_extract_twt_add_dialog_comp_additional_params(
wmi_unified_t wmi_handle, uint8_t *evt_buf, wmi_unified_t wmi_handle, uint8_t *evt_buf,
struct wmi_twt_add_dialog_additional_params *additional_params, uint32_t evt_buf_len, uint32_t idx,
uint32_t idx) struct wmi_twt_add_dialog_additional_params *additional_params)
{ {
if (wmi_handle->ops->extract_twt_add_dialog_comp_additional_params) if (wmi_handle->ops->extract_twt_add_dialog_comp_additional_params)
return wmi_handle->ops-> return wmi_handle->ops->
extract_twt_add_dialog_comp_additional_params( extract_twt_add_dialog_comp_additional_params(
wmi_handle, evt_buf, additional_params, idx); wmi_handle, evt_buf, evt_buf_len, idx,
additional_params);
return QDF_STATUS_E_FAILURE; return QDF_STATUS_E_FAILURE;
} }

27
wmi/src/wmi_unified_twt_tlv.c
View File

@@ -452,21 +452,23 @@ static QDF_STATUS extract_twt_add_dialog_comp_event_tlv(
* twt parameters, as part of add dialog completion event * twt parameters, as part of add dialog completion event
* @wmi_hdl: wmi handle * @wmi_hdl: wmi handle
* @evt_buf: Pointer event buffer * @evt_buf: Pointer event buffer
* @additional_params: twt additional parameters to extract * @evt_buf_len: length of the add dialog event buffer
* @idx: index of num_twt_params * @idx: index of num_twt_params
* @additional_params: twt additional parameters to extract
* *
* Return: QDF_STATUS_SUCCESS on success and QDF_STATUS_E_FAILURE for failure * Return: QDF_STATUS_SUCCESS on success and QDF_STATUS_E_INVAL for failure
*/ */
static QDF_STATUS extract_twt_add_dialog_comp_additional_parameters static QDF_STATUS extract_twt_add_dialog_comp_additional_parameters
( (
wmi_unified_t wmi_handle, uint8_t *evt_buf, wmi_unified_t wmi_handle, uint8_t *evt_buf,
struct wmi_twt_add_dialog_additional_params *additional_params, uint32_t evt_buf_len, uint32_t idx,
uint32_t idx struct wmi_twt_add_dialog_additional_params *additional_params
) )
{ {
WMI_TWT_ADD_DIALOG_COMPLETE_EVENTID_param_tlvs *param_buf; WMI_TWT_ADD_DIALOG_COMPLETE_EVENTID_param_tlvs *param_buf;
wmi_twt_add_dialog_complete_event_fixed_param *ev; wmi_twt_add_dialog_complete_event_fixed_param *ev;
uint32_t flags = 0; uint32_t flags = 0;
uint32_t expected_len;
param_buf = (WMI_TWT_ADD_DIALOG_COMPLETE_EVENTID_param_tlvs *)evt_buf; param_buf = (WMI_TWT_ADD_DIALOG_COMPLETE_EVENTID_param_tlvs *)evt_buf;
if (!param_buf) { if (!param_buf) {
@@ -476,7 +478,12 @@ static QDF_STATUS extract_twt_add_dialog_comp_additional_parameters
ev = param_buf->fixed_param; ev = param_buf->fixed_param;
if (ev->status != WMI_HOST_ADD_TWT_STATUS_OK) { /*
* For Alternate values from AP, Firmware sends additional params
* with WMI_HOST_ADD_TWT_STATUS_DENIED
*/
if (ev->status != WMI_HOST_ADD_TWT_STATUS_OK &&
ev->status != WMI_HOST_ADD_TWT_STATUS_DENIED) {
WMI_LOGE("Status of add dialog complete is not success"); WMI_LOGE("Status of add dialog complete is not success");
return QDF_STATUS_E_INVAL; return QDF_STATUS_E_INVAL;
} }
@@ -492,6 +499,16 @@ static QDF_STATUS extract_twt_add_dialog_comp_additional_parameters
return QDF_STATUS_E_INVAL; return QDF_STATUS_E_INVAL;
} }
expected_len = (sizeof(wmi_twt_add_dialog_complete_event_fixed_param) +
WMI_TLV_HDR_SIZE + (param_buf->num_twt_params *
sizeof(wmi_twt_add_dialog_additional_params)));
if (evt_buf_len != expected_len) {
WMI_LOGE("Got invalid len data from FW %d expected %d",
evt_buf_len, expected_len);
return QDF_STATUS_E_INVAL;
}
flags = param_buf->twt_params[idx].flags; flags = param_buf->twt_params[idx].flags;
additional_params->twt_cmd = TWT_FLAGS_GET_CMD(flags); additional_params->twt_cmd = TWT_FLAGS_GET_CMD(flags);
additional_params->bcast = TWT_FLAGS_GET_BROADCAST(flags); additional_params->bcast = TWT_FLAGS_GET_BROADCAST(flags);