From ef29d92da0c247adafd4c4d62a7ff9fca7b5a9eb Mon Sep 17 00:00:00 2001 From: Yu Tian Date: Wed, 10 Nov 2021 19:05:40 +0800 Subject: [PATCH] qcacmn: Add a tid check for RX to avoid of OOB access Tid in RX frame header may be larger than MAX TID allowed value, this will lead a out of boundary array access and lead to kernel crash at last. Change is aimed to do a TID check and discard such frame when necessary. Change-Id: Ie9e7a1816d197d05cf845e81251ef7772721b849 CRs-Fixed: 3071743 --- dp/wifi3.0/dp_stats.c | 2 ++ dp/wifi3.0/dp_types.h | 2 ++ dp/wifi3.0/li/dp_li_rx.c | 9 ++++++++- 3 files changed, 12 insertions(+), 1 deletion(-) diff --git a/dp/wifi3.0/dp_stats.c b/dp/wifi3.0/dp_stats.c index 48e3806101..5c2ec1fc03 100644 --- a/dp/wifi3.0/dp_stats.c +++ b/dp/wifi3.0/dp_stats.c @@ -6710,6 +6710,8 @@ dp_print_soc_rx_stats(struct dp_soc *soc) DP_PRINT_STATS("Reo2rel route drop:%d", soc->stats.rx.reo2rel_route_drop); DP_PRINT_STATS("Rx Flush count:%d", soc->stats.rx.err.rx_flush_count); + DP_PRINT_STATS("Rx invalid TID count:%d", + soc->stats.rx.err.rx_invalid_tid_err); } #ifdef FEATURE_TSO_STATS diff --git a/dp/wifi3.0/dp_types.h b/dp/wifi3.0/dp_types.h index 9ccf9b8d2c..2fd41f253b 100644 --- a/dp/wifi3.0/dp_types.h +++ b/dp/wifi3.0/dp_types.h @@ -1121,6 +1121,8 @@ struct dp_soc_stats { uint32_t msdu_len_err; /* Rx flush count */ uint32_t rx_flush_count; + /* Rx invalid tid count */ + uint32_t rx_invalid_tid_err; } err; /* packet count per core - per ring */ diff --git a/dp/wifi3.0/li/dp_li_rx.c b/dp/wifi3.0/li/dp_li_rx.c index 176f6d33bf..d81b2deb97 100644 --- a/dp/wifi3.0/li/dp_li_rx.c +++ b/dp/wifi3.0/li/dp_li_rx.c @@ -581,8 +581,15 @@ done: } /* Get TID from struct cb->tid_val, save to tid */ - if (qdf_nbuf_is_rx_chfrag_start(nbuf)) + if (qdf_nbuf_is_rx_chfrag_start(nbuf)) { tid = qdf_nbuf_get_tid_val(nbuf); + if (tid >= CDP_MAX_DATA_TIDS) { + DP_STATS_INC(soc, rx.err.rx_invalid_tid_err, 1); + qdf_nbuf_free(nbuf); + nbuf = next; + continue; + } + } if (qdf_unlikely(!peer)) { peer = dp_peer_get_ref_by_id(soc, peer_id,