Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / vendor / qcom-opensource / wlan / qca-wifi-host-cmn / f3a2ea90b8407a0519f426340d5f242c2d9ad89c^! / .
commitf3a2ea90b8407a0519f426340d5f242c2d9ad89c[log] [tgz]
authorWill Huang <wilhuang@codeaurora.org>Mon Jun 26 10:34:25 2017 +0800
committersnandini <snandini@codeaurora.org>Tue Aug 08 01:21:48 2017 -0700
treee2c1308da7e3da5ed08298bcd4724bd0579cf0cb
parentfde6b9e55152944297eb85f09c2581196b6c38b1 [diff]
qcacmn: Check mbox_index as index and check pointer

hif_dev_map_pipe_to_mail_box may return 255 and assign to mbox_index,
which will cause buffer overflow. Another issue is missing NULL check
after allocate memory in function hif_dev_send_buffer.

Fix it by checking NULL/invalid return pointer/index value.

Change-Id: If7b954343847097b7b5b601c684fe6b51d90daa4
CRs-Fixed: 2058300

diff --git a/hif/src/sdio/hif_sdio_dev.c b/hif/src/sdio/hif_sdio_dev.c
index 3662e41..0bad5cd 100644
--- a/hif/src/sdio/hif_sdio_dev.c
+++ b/hif/src/sdio/hif_sdio_dev.c

@@ -62,7 +62,6 @@
  * we also need 2 mbox support just as PCIe LL cases.
  */
 
-#define INVALID_MAILBOX_NUMBER 0xFF
 /**
  * hif_dev_map_pipe_to_mail_box() - maps pipe id to mailbox.
  * @pdev: sdio device context

diff --git a/hif/src/sdio/hif_sdio_internal.h b/hif/src/sdio/hif_sdio_internal.h
index 4aa3684..d90a717 100644
--- a/hif/src/sdio/hif_sdio_internal.h
+++ b/hif/src/sdio/hif_sdio_internal.h

@@ -34,6 +34,8 @@
 #include "htc_api.h"
 #include "hif_internal.h"
 
+#define INVALID_MAILBOX_NUMBER 0xFF
+
 #define HIF_SDIO_RX_BUFFER_SIZE            1792
 #define HIF_SDIO_RX_DATA_OFFSET            64
 

diff --git a/hif/src/sdio/hif_sdio_send.c b/hif/src/sdio/hif_sdio_send.c
index d3e2dc6..cd0ab29 100644
--- a/hif/src/sdio/hif_sdio_send.c
+++ b/hif/src/sdio/hif_sdio_send.c

@@ -25,6 +25,7 @@
  * to the Linux Foundation.
  */
 
+#define ATH_MODULE_NAME hif
 #include <qdf_types.h>
 #include <qdf_status.h>
 #include <qdf_timer.h>
@@ -109,6 +110,11 @@
 	uint32_t request = HIF_WR_ASYNC_BLOCK_INC;
 	uint8_t mbox_index = hif_dev_map_pipe_to_mail_box(pdev, pipe);
 
+	if (mbox_index == INVALID_MAILBOX_NUMBER) {
+		AR_DEBUG_PRINTF(ATH_DEBUG_ERR, ("pipe id(%d) invalid\n", pipe));
+		return QDF_STATUS_E_FAILURE;
+	}
+
 	padded_length = DEV_CALC_SEND_PADDED_LEN(pdev, nbytes);
 	A_ASSERT(padded_length - nbytes < HIF_DUMMY_SPACE_MASK + 1);
 	/*
@@ -145,7 +151,15 @@
 			(struct hif_sendContext *)
 			qdf_mem_malloc(sizeof(struct hif_sendContext) +
 				       padded_length);
-		send_context->bNewAlloc = true;
+		if (send_context) {
+			send_context->bNewAlloc = true;
+		} else {
+			AR_DEBUG_PRINTF(ATH_DEBUG_ERR,
+				("Allocate send context fail %d\n",
+				sizeof(struct hif_sendContext) +
+				padded_length));
+			return QDF_STATUS_E_NOMEM;
+		}
 	}
 
 	send_context->netbuf = buf;