qcacmn: Add length check for twt additional parameters
Add length check in additional parameters extracted from WMI_TWT_ADD_DIALOG_COMPLETE_EVENTID. CRs-Fixed: 2755498 Change-Id: I913547bad8a1f823a01ff36f22dbe3d305e533bc
This commit is contained in:

committed by
snandini

parent
8841346dcb
commit
afac78b33d
@@ -2183,8 +2183,8 @@ QDF_STATUS (*extract_twt_add_dialog_comp_event)(wmi_unified_t wmi_handle,
|
|||||||
QDF_STATUS (*extract_twt_add_dialog_comp_additional_params)
|
QDF_STATUS (*extract_twt_add_dialog_comp_additional_params)
|
||||||
(
|
(
|
||||||
wmi_unified_t wmi_handle, uint8_t *evt_buf,
|
wmi_unified_t wmi_handle, uint8_t *evt_buf,
|
||||||
struct wmi_twt_add_dialog_additional_params *additional_params,
|
uint32_t evt_buf_len, uint32_t idx,
|
||||||
uint32_t idx
|
struct wmi_twt_add_dialog_additional_params *additional_params
|
||||||
);
|
);
|
||||||
|
|
||||||
QDF_STATUS (*extract_twt_del_dialog_comp_event)(wmi_unified_t wmi_handle,
|
QDF_STATUS (*extract_twt_del_dialog_comp_event)(wmi_unified_t wmi_handle,
|
||||||
|
@@ -164,15 +164,16 @@ QDF_STATUS wmi_extract_twt_add_dialog_comp_event(
|
|||||||
* twt parameters, as part of add dialog completion event
|
* twt parameters, as part of add dialog completion event
|
||||||
* @wmi_hdl: wmi handle
|
* @wmi_hdl: wmi handle
|
||||||
* @evt_buf: Pointer event buffer
|
* @evt_buf: Pointer event buffer
|
||||||
* @additional_params: additional parameters to extract
|
* @evt_buf_len: length of the add dialog event buffer
|
||||||
* @idx: index of num_twt_params to extract
|
* @idx: index of num_twt_params to extract
|
||||||
|
* @additional_params: additional parameters to extract
|
||||||
*
|
*
|
||||||
* Return: QDF_STATUS_SUCCESS on success and QDF_STATUS_E_FAILURE for failure
|
* Return: QDF_STATUS_SUCCESS on success and QDF_STATUS_E_FAILURE for failure
|
||||||
*/
|
*/
|
||||||
QDF_STATUS wmi_extract_twt_add_dialog_comp_additional_params(
|
QDF_STATUS wmi_extract_twt_add_dialog_comp_additional_params(
|
||||||
wmi_unified_t wmi_handle, uint8_t *evt_buf,
|
wmi_unified_t wmi_handle, uint8_t *evt_buf,
|
||||||
struct wmi_twt_add_dialog_additional_params *additional_params,
|
uint32_t evt_buf_len, uint32_t idx,
|
||||||
uint32_t idx);
|
struct wmi_twt_add_dialog_additional_params *additional_params);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* wmi_extract_twt_del_dialog_comp_event() - Extract WMI event params for TWT
|
* wmi_extract_twt_del_dialog_comp_event() - Extract WMI event params for TWT
|
||||||
|
@@ -151,13 +151,14 @@ QDF_STATUS wmi_extract_twt_add_dialog_comp_event(
|
|||||||
|
|
||||||
QDF_STATUS wmi_extract_twt_add_dialog_comp_additional_params(
|
QDF_STATUS wmi_extract_twt_add_dialog_comp_additional_params(
|
||||||
wmi_unified_t wmi_handle, uint8_t *evt_buf,
|
wmi_unified_t wmi_handle, uint8_t *evt_buf,
|
||||||
struct wmi_twt_add_dialog_additional_params *additional_params,
|
uint32_t evt_buf_len, uint32_t idx,
|
||||||
uint32_t idx)
|
struct wmi_twt_add_dialog_additional_params *additional_params)
|
||||||
{
|
{
|
||||||
if (wmi_handle->ops->extract_twt_add_dialog_comp_additional_params)
|
if (wmi_handle->ops->extract_twt_add_dialog_comp_additional_params)
|
||||||
return wmi_handle->ops->
|
return wmi_handle->ops->
|
||||||
extract_twt_add_dialog_comp_additional_params(
|
extract_twt_add_dialog_comp_additional_params(
|
||||||
wmi_handle, evt_buf, additional_params, idx);
|
wmi_handle, evt_buf, evt_buf_len, idx,
|
||||||
|
additional_params);
|
||||||
|
|
||||||
return QDF_STATUS_E_FAILURE;
|
return QDF_STATUS_E_FAILURE;
|
||||||
}
|
}
|
||||||
|
@@ -452,21 +452,23 @@ static QDF_STATUS extract_twt_add_dialog_comp_event_tlv(
|
|||||||
* twt parameters, as part of add dialog completion event
|
* twt parameters, as part of add dialog completion event
|
||||||
* @wmi_hdl: wmi handle
|
* @wmi_hdl: wmi handle
|
||||||
* @evt_buf: Pointer event buffer
|
* @evt_buf: Pointer event buffer
|
||||||
* @additional_params: twt additional parameters to extract
|
* @evt_buf_len: length of the add dialog event buffer
|
||||||
* @idx: index of num_twt_params
|
* @idx: index of num_twt_params
|
||||||
|
* @additional_params: twt additional parameters to extract
|
||||||
*
|
*
|
||||||
* Return: QDF_STATUS_SUCCESS on success and QDF_STATUS_E_FAILURE for failure
|
* Return: QDF_STATUS_SUCCESS on success and QDF_STATUS_E_INVAL for failure
|
||||||
*/
|
*/
|
||||||
static QDF_STATUS extract_twt_add_dialog_comp_additional_parameters
|
static QDF_STATUS extract_twt_add_dialog_comp_additional_parameters
|
||||||
(
|
(
|
||||||
wmi_unified_t wmi_handle, uint8_t *evt_buf,
|
wmi_unified_t wmi_handle, uint8_t *evt_buf,
|
||||||
struct wmi_twt_add_dialog_additional_params *additional_params,
|
uint32_t evt_buf_len, uint32_t idx,
|
||||||
uint32_t idx
|
struct wmi_twt_add_dialog_additional_params *additional_params
|
||||||
)
|
)
|
||||||
{
|
{
|
||||||
WMI_TWT_ADD_DIALOG_COMPLETE_EVENTID_param_tlvs *param_buf;
|
WMI_TWT_ADD_DIALOG_COMPLETE_EVENTID_param_tlvs *param_buf;
|
||||||
wmi_twt_add_dialog_complete_event_fixed_param *ev;
|
wmi_twt_add_dialog_complete_event_fixed_param *ev;
|
||||||
uint32_t flags = 0;
|
uint32_t flags = 0;
|
||||||
|
uint32_t expected_len;
|
||||||
|
|
||||||
param_buf = (WMI_TWT_ADD_DIALOG_COMPLETE_EVENTID_param_tlvs *)evt_buf;
|
param_buf = (WMI_TWT_ADD_DIALOG_COMPLETE_EVENTID_param_tlvs *)evt_buf;
|
||||||
if (!param_buf) {
|
if (!param_buf) {
|
||||||
@@ -476,7 +478,12 @@ static QDF_STATUS extract_twt_add_dialog_comp_additional_parameters
|
|||||||
|
|
||||||
ev = param_buf->fixed_param;
|
ev = param_buf->fixed_param;
|
||||||
|
|
||||||
if (ev->status != WMI_HOST_ADD_TWT_STATUS_OK) {
|
/*
|
||||||
|
* For Alternate values from AP, Firmware sends additional params
|
||||||
|
* with WMI_HOST_ADD_TWT_STATUS_DENIED
|
||||||
|
*/
|
||||||
|
if (ev->status != WMI_HOST_ADD_TWT_STATUS_OK &&
|
||||||
|
ev->status != WMI_HOST_ADD_TWT_STATUS_DENIED) {
|
||||||
WMI_LOGE("Status of add dialog complete is not success");
|
WMI_LOGE("Status of add dialog complete is not success");
|
||||||
return QDF_STATUS_E_INVAL;
|
return QDF_STATUS_E_INVAL;
|
||||||
}
|
}
|
||||||
@@ -492,6 +499,16 @@ static QDF_STATUS extract_twt_add_dialog_comp_additional_parameters
|
|||||||
return QDF_STATUS_E_INVAL;
|
return QDF_STATUS_E_INVAL;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
expected_len = (sizeof(wmi_twt_add_dialog_complete_event_fixed_param) +
|
||||||
|
WMI_TLV_HDR_SIZE + (param_buf->num_twt_params *
|
||||||
|
sizeof(wmi_twt_add_dialog_additional_params)));
|
||||||
|
|
||||||
|
if (evt_buf_len != expected_len) {
|
||||||
|
WMI_LOGE("Got invalid len data from FW %d expected %d",
|
||||||
|
evt_buf_len, expected_len);
|
||||||
|
return QDF_STATUS_E_INVAL;
|
||||||
|
}
|
||||||
|
|
||||||
flags = param_buf->twt_params[idx].flags;
|
flags = param_buf->twt_params[idx].flags;
|
||||||
additional_params->twt_cmd = TWT_FLAGS_GET_CMD(flags);
|
additional_params->twt_cmd = TWT_FLAGS_GET_CMD(flags);
|
||||||
additional_params->bcast = TWT_FLAGS_GET_BROADCAST(flags);
|
additional_params->bcast = TWT_FLAGS_GET_BROADCAST(flags);
|
||||||
|
Reference in New Issue
Block a user