From b9a832ec3336e247ee546b4b18fa7caaa7b3b1dc Mon Sep 17 00:00:00 2001
From: Wu Gao <wugao@codeaurora.org>
Date: Fri, 12 Oct 2018 18:16:09 +0800
Subject: [PATCH] qcacmn: Check chain mask tables number valid

Chain mask tables number is from wmi service ready ext event, it is
not check valid which will cause oob read arry of chain mask tables.

Change-Id: I2fa0251358ed66d928477c0b55933ca028c8bd53
CRs-Fixed: 2331850
---
 wmi/src/wmi_unified_tlv.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/wmi/src/wmi_unified_tlv.c b/wmi/src/wmi_unified_tlv.c
index 54c10f45f5..c9bd102b72 100644
--- a/wmi/src/wmi_unified_tlv.c
+++ b/wmi/src/wmi_unified_tlv.c
@@ -23,6 +23,7 @@
 #include "wmi_version_whitelist.h"
 #include <qdf_module.h>
 #include <wlan_defs.h>
+#include <wlan_cmn.h>
 #include <htc_services.h>
 #ifdef FEATURE_WLAN_APF
 #include "wmi_unified_apf_tlv.h"
@@ -17045,7 +17046,8 @@ static QDF_STATUS extract_chainmask_tables_tlv(wmi_unified_t wmi_handle,
 	if (!hw_caps)
 		return QDF_STATUS_E_INVAL;
 
-	if (!hw_caps->num_chainmask_tables)
+	if ((!hw_caps->num_chainmask_tables) ||
+	    (hw_caps->num_chainmask_tables > PSOC_MAX_CHAINMASK_TABLES))
 		return QDF_STATUS_E_INVAL;
 
 	chainmask_caps = param_buf->mac_phy_chainmask_caps;