qcacmn: Add length check for twt additional parameters

Add length check in additional parameters extracted from WMI_TWT_ADD_DIALOG_COMPLETE_EVENTID. CRs-Fixed: 2755498 Change-Id: I913547bad8a1f823a01ff36f22dbe3d305e533bc
2020-08-14 12:54:02 +05:30
parent 8841346dcb
commit afac78b33d
4 changed files with 32 additions and 13 deletions
--- a/wmi/inc/wmi_unified_priv.h
+++ b/wmi/inc/wmi_unified_priv.h
@@ -2183,8 +2183,8 @@ QDF_STATUS (*extract_twt_add_dialog_comp_event)(wmi_unified_t wmi_handle,
 QDF_STATUS (*extract_twt_add_dialog_comp_additional_params)
 		(
 		 wmi_unified_t wmi_handle, uint8_t *evt_buf,
-		 struct wmi_twt_add_dialog_additional_params *additional_params,
-		 uint32_t idx
+		 uint32_t evt_buf_len, uint32_t idx,
+		 struct wmi_twt_add_dialog_additional_params *additional_params
 		);

 QDF_STATUS (*extract_twt_del_dialog_comp_event)(wmi_unified_t wmi_handle,
--- a/wmi/inc/wmi_unified_twt_api.h
+++ b/wmi/inc/wmi_unified_twt_api.h
@@ -164,15 +164,16 @@ QDF_STATUS wmi_extract_twt_add_dialog_comp_event(
 * twt parameters, as part of add dialog completion event
 * @wmi_hdl: wmi handle
 * @evt_buf: Pointer event buffer
- * @additional_params: additional parameters to extract
+ * @evt_buf_len: length of the add dialog event buffer
 * @idx: index of num_twt_params to extract
+ * @additional_params: additional parameters to extract
 *
 * Return: QDF_STATUS_SUCCESS on success and QDF_STATUS_E_FAILURE for failure
 */
 QDF_STATUS wmi_extract_twt_add_dialog_comp_additional_params(
 		wmi_unified_t wmi_handle, uint8_t *evt_buf,
-		struct wmi_twt_add_dialog_additional_params *additional_params,
-		uint32_t idx);
+		uint32_t evt_buf_len, uint32_t idx,
+		struct wmi_twt_add_dialog_additional_params *additional_params);

 /**
 * wmi_extract_twt_del_dialog_comp_event() - Extract WMI event params for TWT
--- a/wmi/src/wmi_unified_twt_api.c
+++ b/wmi/src/wmi_unified_twt_api.c
@@ -151,13 +151,14 @@ QDF_STATUS wmi_extract_twt_add_dialog_comp_event(

 QDF_STATUS wmi_extract_twt_add_dialog_comp_additional_params(
 		wmi_unified_t wmi_handle, uint8_t *evt_buf,
-		struct wmi_twt_add_dialog_additional_params *additional_params,
-		uint32_t idx)
+		uint32_t evt_buf_len, uint32_t idx,
+		struct wmi_twt_add_dialog_additional_params *additional_params)
 {
 	if (wmi_handle->ops->extract_twt_add_dialog_comp_additional_params)
 		return wmi_handle->ops->
 			extract_twt_add_dialog_comp_additional_params(
-			wmi_handle, evt_buf, additional_params, idx);
+			wmi_handle, evt_buf, evt_buf_len, idx,
+			additional_params);

 	return QDF_STATUS_E_FAILURE;
 }
--- a/wmi/src/wmi_unified_twt_tlv.c
+++ b/wmi/src/wmi_unified_twt_tlv.c
@@ -452,21 +452,23 @@ static QDF_STATUS extract_twt_add_dialog_comp_event_tlv(
 * twt parameters, as part of add dialog completion event
 * @wmi_hdl: wmi handle
 * @evt_buf: Pointer event buffer
- * @additional_params: twt additional parameters to extract
+ * @evt_buf_len: length of the add dialog event buffer
 * @idx: index of num_twt_params
+ * @additional_params: twt additional parameters to extract
 *
- * Return: QDF_STATUS_SUCCESS on success and QDF_STATUS_E_FAILURE for failure
+ * Return: QDF_STATUS_SUCCESS on success and QDF_STATUS_E_INVAL for failure
 */
 static QDF_STATUS extract_twt_add_dialog_comp_additional_parameters
 (
 	wmi_unified_t wmi_handle, uint8_t *evt_buf,
-	struct wmi_twt_add_dialog_additional_params *additional_params,
-	uint32_t idx
+	uint32_t evt_buf_len, uint32_t idx,
+	struct wmi_twt_add_dialog_additional_params *additional_params
 )
 {
 	WMI_TWT_ADD_DIALOG_COMPLETE_EVENTID_param_tlvs *param_buf;
 	wmi_twt_add_dialog_complete_event_fixed_param *ev;
 	uint32_t flags = 0;
+	uint32_t expected_len;

 	param_buf = (WMI_TWT_ADD_DIALOG_COMPLETE_EVENTID_param_tlvs *)evt_buf;
 	if (!param_buf) {
@@ -476,7 +478,12 @@ static QDF_STATUS extract_twt_add_dialog_comp_additional_parameters

 	ev = param_buf->fixed_param;

-	if (ev->status != WMI_HOST_ADD_TWT_STATUS_OK) {
+	/*
+	 * For Alternate values from AP, Firmware sends additional params
+	 * with WMI_HOST_ADD_TWT_STATUS_DENIED
+	 */
+	if (ev->status != WMI_HOST_ADD_TWT_STATUS_OK &&
+	    ev->status != WMI_HOST_ADD_TWT_STATUS_DENIED) {
 		WMI_LOGE("Status of add dialog complete is not success");
 		return QDF_STATUS_E_INVAL;
 	}
@@ -492,6 +499,16 @@ static QDF_STATUS extract_twt_add_dialog_comp_additional_parameters
 		return QDF_STATUS_E_INVAL;
 	}

+	expected_len = (sizeof(wmi_twt_add_dialog_complete_event_fixed_param) +
+			WMI_TLV_HDR_SIZE + (param_buf->num_twt_params *
+			sizeof(wmi_twt_add_dialog_additional_params)));
+
+	if (evt_buf_len != expected_len) {
+		WMI_LOGE("Got invalid len data from FW %d expected %d",
+			 evt_buf_len, expected_len);
+		return QDF_STATUS_E_INVAL;
+	}
+
 	flags = param_buf->twt_params[idx].flags;
 	additional_params->twt_cmd = TWT_FLAGS_GET_CMD(flags);
 	additional_params->bcast = TWT_FLAGS_GET_BROADCAST(flags);