qcacmn: Sanitize Rx buffer length received from H.W

Check if Rx single msdu length including padding and tlvs length is greater than Rx buffer size allocated to H.W and raise error to catch out of bound access. Change-Id: I7c70b8a0b6828f7fd88a19141f9087430085c13a CRs-Fixed: 2873933
2021-02-26 00:10:45 +05:30
Parent bbccf20880
--- a/dp/wifi3.0/dp_rx.c
+++ b/dp/wifi3.0/dp_rx.c
@@ -1917,6 +1917,25 @@ QDF_STATUS dp_rx_desc_nbuf_sanity_check(hal_ring_desc_t ring_desc,

 	return QDF_STATUS_E_FAILURE;
 }
+
+/**
+ * dp_rx_desc_nbuf_len_sanity_check - Add sanity check to catch Rx buffer
+ *				      out of bound access from H.W
+ *
+ * @soc: DP soc
+ * @pkt_len: Packet length received from H.W
+ *
+ * Return: NONE
+ */
+static inline void
+dp_rx_desc_nbuf_len_sanity_check(struct dp_soc *soc,
+				 uint32_t pkt_len)
+{
+	struct rx_desc_pool *rx_desc_pool;
+
+	rx_desc_pool = &soc->rx_desc_buf[0];
+	qdf_assert_always(pkt_len < rx_desc_pool->buf_size);
+}
 #else
 static inline
 QDF_STATUS dp_rx_desc_nbuf_sanity_check(hal_ring_desc_t ring_desc,
@@ -1924,6 +1943,9 @@ QDF_STATUS dp_rx_desc_nbuf_sanity_check(hal_ring_desc_t ring_desc,
 {
 	return QDF_STATUS_SUCCESS;
 }
+
+static inline void
+dp_rx_desc_nbuf_len_sanity_check(struct dp_soc *soc, uint32_t pkt_len) { }
 #endif

 #ifdef WLAN_FEATURE_RX_SOFTIRQ_TIME_LIMIT
@@ -2801,6 +2823,8 @@ done:
 				  msdu_metadata.l3_hdr_pad +
 				  RX_PKT_TLVS_LEN;

+			dp_rx_desc_nbuf_len_sanity_check(soc, pkt_len);
+
 			qdf_nbuf_set_pktlen(nbuf, pkt_len);
 			dp_rx_skip_tlvs(nbuf, msdu_metadata.l3_hdr_pad);
 		}