qcacmn: Check mbox_index as index and check pointer

hif_dev_map_pipe_to_mail_box may return 255 and assign to mbox_index,
which will cause buffer overflow. Another issue is missing NULL check
after allocate memory in function hif_dev_send_buffer.

Fix it by checking NULL/invalid return pointer/index value.

Change-Id: If7b954343847097b7b5b601c684fe6b51d90daa4
CRs-Fixed: 2058300

hif/src/sdio/hif_sdio_dev.c

@@ -62,7 +62,6 @@
  * we also need 2 mbox support just as PCIe LL cases.
  */
 
-#define INVALID_MAILBOX_NUMBER 0xFF
 /**
  * hif_dev_map_pipe_to_mail_box() - maps pipe id to mailbox.
  * @pdev: sdio device context

hif/src/sdio/hif_sdio_internal.h

@@ -34,6 +34,8 @@
 #include "htc_api.h"
 #include "hif_internal.h"
 
+#define INVALID_MAILBOX_NUMBER 0xFF
+
 #define HIF_SDIO_RX_BUFFER_SIZE            1792
 #define HIF_SDIO_RX_DATA_OFFSET            64
 

hif/src/sdio/hif_sdio_send.c

@@ -25,6 +25,7 @@
  * to the Linux Foundation.
  */
 
+#define ATH_MODULE_NAME hif
 #include <qdf_types.h>
 #include <qdf_status.h>
 #include <qdf_timer.h>
@@ -109,6 +110,11 @@ QDF_STATUS hif_dev_send_buffer(struct hif_sdio_device *pdev,
 	uint32_t request = HIF_WR_ASYNC_BLOCK_INC;
 	uint8_t mbox_index = hif_dev_map_pipe_to_mail_box(pdev, pipe);
 
+	if (mbox_index == INVALID_MAILBOX_NUMBER) {
+		AR_DEBUG_PRINTF(ATH_DEBUG_ERR, ("pipe id(%d) invalid\n", pipe));
+		return QDF_STATUS_E_FAILURE;
+	}
+
 	padded_length = DEV_CALC_SEND_PADDED_LEN(pdev, nbytes);
 	A_ASSERT(padded_length - nbytes < HIF_DUMMY_SPACE_MASK + 1);
 	/*
@@ -145,7 +151,15 @@ QDF_STATUS hif_dev_send_buffer(struct hif_sdio_device *pdev,
 			(struct hif_sendContext *)
 			qdf_mem_malloc(sizeof(struct hif_sendContext) +
 				       padded_length);
-		send_context->bNewAlloc = true;
+		if (send_context) {
+			send_context->bNewAlloc = true;
+		} else {
+			AR_DEBUG_PRINTF(ATH_DEBUG_ERR,
+				("Allocate send context fail %d\n",
+				sizeof(struct hif_sendContext) +
+				padded_length));
+			return QDF_STATUS_E_NOMEM;
+		}
 	}
 
 	send_context->netbuf = buf;