From ecf1416b4229ad9b94f8c7fd686adaf7604bf98a Mon Sep 17 00:00:00 2001
From: Wu Gao <quic_wugao@quicinc.com>
Date: Tue, 8 Mar 2022 16:32:52 +0800
Subject: [PATCH] qcacmn: Check cookie and avoid to read out of bound

Read out of bound due to invalid cookie and cause device broken. This
change checks cookie before using it as index of DBR buffer pool.

Change-Id: I1abc7d771cc62a7dd2dfe98784bf8ef2710f26ca
CRs-Fixed: 3144133
---
 .../direct_buf_rx/src/target_if_direct_buf_rx_main.c   | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/target_if/direct_buf_rx/src/target_if_direct_buf_rx_main.c b/target_if/direct_buf_rx/src/target_if_direct_buf_rx_main.c
index 1a6c5bbd9a..73ae9ecf00 100644
--- a/target_if/direct_buf_rx/src/target_if_direct_buf_rx_main.c
+++ b/target_if/direct_buf_rx/src/target_if_direct_buf_rx_main.c
@@ -1323,6 +1323,11 @@ static QDF_STATUS target_if_dbr_replenish_ring(struct wlan_objmgr_pdev *pdev,
 		return QDF_STATUS_E_FAILURE;
 	}
 
+	if (cookie >= mod_param->dbr_ring_cfg->num_ptr) {
+		direct_buf_rx_err("invalid cookie %d", cookie);
+		return QDF_STATUS_E_INVAL;
+	}
+
 	dbr_psoc_obj = wlan_objmgr_psoc_get_comp_private_obj(psoc,
 				WLAN_TARGET_IF_COMP_DIRECT_BUF_RX);
 
@@ -1811,6 +1816,11 @@ static void *target_if_dbr_vaddr_lookup(
 
 	dbr_buf_pool = mod_param->dbr_buf_pool;
 
+	if (cookie >= mod_param->dbr_ring_cfg->num_ptr) {
+		direct_buf_rx_err("invalid cookie %d", cookie);
+		return NULL;
+	}
+
 	if (dbr_buf_pool[cookie].paddr == paddr) {
 		return dbr_buf_pool[cookie].vaddr +
 				dbr_buf_pool[cookie].offset;