Wlan: Fix out of bound access in WDI_ProcessTriggerBAReq
Out of bound access is reported by kernel address
sanitizer (KASan) tool.
==========================================================================
BUG: KASAN: slab-out-of-bounds in WDI_ProcessTriggerBAReq+0x4b8/0x66c[wlan]
at addr ffffffc058089818
Read of size 1 by task VosMCThread/28193
==========================================================================
BUG kmalloc-128 (Tainted: P B W O ): kasan: bad access detected
---------------------------------------------------------------------------
[<ffffffc00008c80c>] dump_backtrace+0x0/0x284
[<ffffffc00008caa0>] show_stack+0x10/0x1c
[<ffffffc001e98084>] dump_stack+0x74/0xfc
[<ffffffc0002f2fac>] print_trailer+0x150/0x164
[<ffffffc0002f3374>] object_err+0x38/0x4c
[<ffffffc0002f88ac>] kasan_report+0x34c/0x504
[<ffffffc0002f8a78>] __asan_report_load1_noabort+0x14/0x20
[<ffffffbffcd80afc>] WDI_ProcessTriggerBAReq+0x4b4/0x66c [wlan]
[<ffffffbffcd6289c>] WDI_MainReqStarted+0x168/0x1a8 [wlan]
[<ffffffbffcd64598>] WDI_PostMainEvent+0x14c/0x208 [wlan]
[<ffffffbffcd6a058>] WDI_PALCtrlMsgCB+0x1d0/0x18d8 [wlan]
[<ffffffbffcd02614>] VosMCThread+0x3d4/0x950 [wlan]
[<ffffffc0000f1f24>] kthread+0x22c/0x240
==========================================================================
While queuing the req in WDI_QueuePendingReq, the length passed
doesnt consider the extra user data appended to the trigger ba req.
Thus the memory is allocated will invalid length.
To fix this add the extra user data length to total length before
passing it to WDI_QueuePendingReq.
Change-Id: Ied4024f74d4d05ad6d8e03d1320cc704cb70b6e3
CRs-Fixed: 972757
diff --git a/CORE/WDA/src/wlan_qct_wda.c b/CORE/WDA/src/wlan_qct_wda.c
index b5dd442..1f3be35 100644
--- a/CORE/WDA/src/wlan_qct_wda.c
+++ b/CORE/WDA/src/wlan_qct_wda.c
@@ -16810,7 +16810,7 @@
pWdaParams->pWdaContext = pWDA;
pWdaParams->wdaWdiApiMsgParam = wdiTriggerBaReq ;
pWdaParams->wdaMsgParam = NULL;
- status = WDI_TriggerBAReq(wdiTriggerBaReq,
+ status = WDI_TriggerBAReq(wdiTriggerBaReq, size,
WDA_TriggerBaReqCallback, pWdaParams) ;
if(IS_WDI_STATUS_FAILURE(status))
{
diff --git a/CORE/WDI/CP/inc/wlan_qct_wdi.h b/CORE/WDI/CP/inc/wlan_qct_wdi.h
index 5397e51..d6618ce 100644
--- a/CORE/WDI/CP/inc/wlan_qct_wdi.h
+++ b/CORE/WDI/CP/inc/wlan_qct_wdi.h
@@ -10577,7 +10577,7 @@
@param wdiAddBAReqParams: the add BA parameters as specified by
the Device Interface
-
+ baReqParamUserDataSize: user data size of wdiAddBAReqParams
wdiAddBARspCb: callback for passing back the response of
the add BA operation received from the device
@@ -10591,6 +10591,7 @@
WDI_TriggerBAReq
(
WDI_TriggerBAReqParamsType* pwdiTriggerBAReqParams,
+ wpt_uint8 baReqParamUserDataSize,
WDI_TriggerBARspCb wdiTriggerBARspCb,
void* pUserData
);
diff --git a/CORE/WDI/CP/src/wlan_qct_wdi.c b/CORE/WDI/CP/src/wlan_qct_wdi.c
index a8bdc42..bd1b472 100644
--- a/CORE/WDI/CP/src/wlan_qct_wdi.c
+++ b/CORE/WDI/CP/src/wlan_qct_wdi.c
@@ -6122,6 +6122,7 @@
@param wdiAddBAReqParams: the add BA parameters as specified by
the Device Interface
+ baReqParamUserDataSize: user data size of wdiAddBAReqParams
wdiAddBARspCb: callback for passing back the response of
the add BA operation received from the device
@@ -6135,6 +6136,7 @@
WDI_TriggerBAReq
(
WDI_TriggerBAReqParamsType* pwdiTriggerBAReqParams,
+ wpt_uint8 baReqParamUserDataSize,
WDI_TriggerBARspCb wdiTriggerBARspCb,
void* pUserData
)
@@ -6158,7 +6160,8 @@
------------------------------------------------------------------------*/
wdiEventData.wdiRequest = WDI_TRIGGER_BA_REQ;
wdiEventData.pEventData = pwdiTriggerBAReqParams;
- wdiEventData.uEventDataSize = sizeof(*pwdiTriggerBAReqParams);
+ wdiEventData.uEventDataSize = sizeof(*pwdiTriggerBAReqParams)
+ + baReqParamUserDataSize;
wdiEventData.pCBfnc = wdiTriggerBARspCb;
wdiEventData.pUserData = pUserData;