wlan: Validating TID in the received packet.
In TL,currently TID of the received packet is not validated.
When a packet with TID >=8 is received, access category is
computed from out of bound array access, leading to crash.
Change-Id: I9eeab7dfc5283cecd416f6dca25659c5e185ef75
CRs-Fixed: 828409
diff --git a/CORE/TL/src/wlan_qct_tl.c b/CORE/TL/src/wlan_qct_tl.c
index f1f8448..917fdda 100644
--- a/CORE/TL/src/wlan_qct_tl.c
+++ b/CORE/TL/src/wlan_qct_tl.c
@@ -5988,9 +5988,6 @@
{
ucSTAId = (v_U8_t)WDA_GET_RX_STAID( pvBDHeader );
ucTid = (v_U8_t)WDA_GET_RX_TID( pvBDHeader );
-#ifdef WLAN_FEATURE_LINK_LAYER_STATS
- ac = WLANTL_TID_2_AC[ucTid];
-#endif
TLLOG2(VOS_TRACE( VOS_MODULE_ID_TL, VOS_TRACE_LEVEL_INFO_HIGH,
"WLAN TL:Data packet received for STA %d", ucSTAId));
@@ -6015,16 +6012,21 @@
}
}/*if bcast*/
- if ( WLANTL_STA_ID_INVALID(ucSTAId) )
+ if ((WLANTL_STA_ID_INVALID(ucSTAId)) || (WLANTL_TID_INVALID(ucTid)))
{
TLLOGW(VOS_TRACE( VOS_MODULE_ID_TL, VOS_TRACE_LEVEL_WARN,
- "WLAN TL:STA ID invalid - dropping pkt"));
+ "WLAN TL:STAId %d, Tid %d. Invalid STA ID/TID- dropping pkt",
+ ucSTAId, ucTid));
/* Drop packet */
vos_pkt_return_packet(vosTempBuff);
vosTempBuff = vosDataBuff;
continue;
}
+#ifdef WLAN_FEATURE_LINK_LAYER_STATS
+ ac = WLANTL_TID_2_AC[ucTid];
+#endif
+
/*----------------------------------------------------------------------
No need to lock cache access because cache manipulation only happens
in the transport thread/task context