qcacmn: Fix OOB access issues in HTC and HIF
Possible OOB Access array 'endpoint' of size '9' while calling 'log_packet_info' in below APIs: get_htc_send_packets_credit_based() get_htc_send_packets() INT_MAX may be used to access array 'hif_ext_group->os_irq' of size 16 in function hif_ipci_irq_set_affinity_hint(). Fix is to add index range check before accessing those arrays. Change-Id: Iab40fe816d8dfcf1ffbf05987b11378ef0fe2572 CRs-Fixed: 3779968
This commit is contained in:
Srikanth Marepalli
committad av
Ravindra Konda
Ravindra Konda
förälder
908cf6b29c
incheckning
f2063f8aea
@@ -575,7 +575,7 @@ void hif_ipci_irq_set_affinity_hint(struct hif_exec_context *hif_ext_group,
|
||||
}
|
||||
}
|
||||
}
|
||||
for (i = 0; i < hif_ext_group->numirq; i++) {
|
||||
for (i = 0; i < hif_ext_group->numirq && i < HIF_MAX_GRP_IRQ; i++) {
|
||||
if (mask_set) {
|
||||
ret = hif_affinity_mgr_set_qrg_irq_affinity((struct hif_softc *)hif_ext_group->hif,
|
||||
hif_ext_group->os_irq[i],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
/*
|
||||
* Copyright (c) 2013-2021 The Linux Foundation. All rights reserved.
|
||||
* Copyright (c) 2022-2023 Qualcomm Innovation Center, Inc. All rights reserved.
|
||||
* Copyright (c) 2022-2024 Qualcomm Innovation Center, Inc. All rights reserved.
|
||||
*
|
||||
* Permission to use, copy, modify, and/or distribute this software for
|
||||
* any purpose with or without fee is hereby granted, provided that the
|
||||
@@ -1206,7 +1206,9 @@ static void get_htc_send_packets_credit_based(HTC_TARGET *target,
|
||||
HTC_PACKET_QUEUE_DEPTH(pQueue)));
|
||||
|
||||
pPacket = htc_get_pkt_at_head(tx_queue);
|
||||
if (!pPacket)
|
||||
if (!pPacket ||
|
||||
(pPacket->Endpoint >= ENDPOINT_MAX) ||
|
||||
(pPacket->Endpoint <= ENDPOINT_UNUSED))
|
||||
break;
|
||||
log_packet_info(target, pPacket);
|
||||
break;
|
||||
@@ -1370,7 +1372,9 @@ static void get_htc_send_packets(HTC_TARGET *target,
|
||||
/* bus suspended, runtime resume issued */
|
||||
QDF_ASSERT(HTC_PACKET_QUEUE_DEPTH(pQueue) == 0);
|
||||
pPacket = htc_get_pkt_at_head(tx_queue);
|
||||
if (!pPacket)
|
||||
if (!pPacket ||
|
||||
(pPacket->Endpoint >= ENDPOINT_MAX) ||
|
||||
(pPacket->Endpoint <= ENDPOINT_UNUSED))
|
||||
break;
|
||||
log_packet_info(target, pPacket);
|
||||
break;
|
||||
|
||||
Referens i nytt ärende
Block a user