From ed2a224ba24470ccd8bb36cc9f1d9010ade68a57 Mon Sep 17 00:00:00 2001 From: Yun Park Date: Tue, 5 Jun 2018 12:06:27 -0700 Subject: [PATCH] qcacmn: Fix out-of-bounds write in htc_add_receive_pkt_multiple In htc_add_receive_pkt_multiple, out-of-bounds write to a buffer. Fix by checking the endpoint against the max endpoint. Change-Id: Iaa82c7e8f3ae59f007380a7697959dd79dfb81ed CRs-Fixed: 2232836 --- htc/htc_recv.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/htc/htc_recv.c b/htc/htc_recv.c index d6c60d3300..1f18e2a634 100644 --- a/htc/htc_recv.c +++ b/htc/htc_recv.c @@ -518,7 +518,10 @@ A_STATUS htc_add_receive_pkt_multiple(HTC_HANDLE HTCHandle, return A_EINVAL; } - AR_DEBUG_ASSERT(pFirstPacket->Endpoint < ENDPOINT_MAX); + if (pFirstPacket->Endpoint >= ENDPOINT_MAX) { + A_ASSERT(false); + return A_EINVAL; + } AR_DEBUG_PRINTF(ATH_DEBUG_RECV, ("+- htc_add_receive_pkt_multiple : endPointId: %d, cnt:%d, length: %d\n",