qcacmn: Check mbox_index as index and check pointer
hif_dev_map_pipe_to_mail_box may return 255 and assign to mbox_index,
which will cause buffer overflow. Another issue is missing NULL check
after allocate memory in function hif_dev_send_buffer.
Fix it by checking NULL/invalid return pointer/index value.
Change-Id: If7b954343847097b7b5b601c684fe6b51d90daa4
CRs-Fixed: 2058300
diff --git a/hif/src/sdio/hif_sdio_dev.c b/hif/src/sdio/hif_sdio_dev.c
index 3662e41..0bad5cd 100644
--- a/hif/src/sdio/hif_sdio_dev.c
+++ b/hif/src/sdio/hif_sdio_dev.c
@@ -62,7 +62,6 @@
* we also need 2 mbox support just as PCIe LL cases.
*/
-#define INVALID_MAILBOX_NUMBER 0xFF
/**
* hif_dev_map_pipe_to_mail_box() - maps pipe id to mailbox.
* @pdev: sdio device context
diff --git a/hif/src/sdio/hif_sdio_internal.h b/hif/src/sdio/hif_sdio_internal.h
index 4aa3684..d90a717 100644
--- a/hif/src/sdio/hif_sdio_internal.h
+++ b/hif/src/sdio/hif_sdio_internal.h
@@ -34,6 +34,8 @@
#include "htc_api.h"
#include "hif_internal.h"
+#define INVALID_MAILBOX_NUMBER 0xFF
+
#define HIF_SDIO_RX_BUFFER_SIZE 1792
#define HIF_SDIO_RX_DATA_OFFSET 64
diff --git a/hif/src/sdio/hif_sdio_send.c b/hif/src/sdio/hif_sdio_send.c
index d3e2dc6..cd0ab29 100644
--- a/hif/src/sdio/hif_sdio_send.c
+++ b/hif/src/sdio/hif_sdio_send.c
@@ -25,6 +25,7 @@
* to the Linux Foundation.
*/
+#define ATH_MODULE_NAME hif
#include <qdf_types.h>
#include <qdf_status.h>
#include <qdf_timer.h>
@@ -109,6 +110,11 @@
uint32_t request = HIF_WR_ASYNC_BLOCK_INC;
uint8_t mbox_index = hif_dev_map_pipe_to_mail_box(pdev, pipe);
+ if (mbox_index == INVALID_MAILBOX_NUMBER) {
+ AR_DEBUG_PRINTF(ATH_DEBUG_ERR, ("pipe id(%d) invalid\n", pipe));
+ return QDF_STATUS_E_FAILURE;
+ }
+
padded_length = DEV_CALC_SEND_PADDED_LEN(pdev, nbytes);
A_ASSERT(padded_length - nbytes < HIF_DUMMY_SPACE_MASK + 1);
/*
@@ -145,7 +151,15 @@
(struct hif_sendContext *)
qdf_mem_malloc(sizeof(struct hif_sendContext) +
padded_length);
- send_context->bNewAlloc = true;
+ if (send_context) {
+ send_context->bNewAlloc = true;
+ } else {
+ AR_DEBUG_PRINTF(ATH_DEBUG_ERR,
+ ("Allocate send context fail %d\n",
+ sizeof(struct hif_sendContext) +
+ padded_length));
+ return QDF_STATUS_E_NOMEM;
+ }
}
send_context->netbuf = buf;