qcacld-3.0: Fix potential buffer overflow in ol_rx_flush_handler
qcacld-2.0 to qcacld-3.0 propagation
Check for the validity of tid when received the htt message of
HTT_T2H_MSG_TYPE_RX_FLUSH & HTT_T2H_MSG_TYPE_RX_PN_IND from firmware
to ensure the buffer overflow does not happen.
And correct the sequence number type from signed int to unsigned.
Change-Id: Ibff86e891c335bfe8c2f9db82410545036463ed3
CRs-Fixed: 2149399
diff --git a/core/dp/txrx/ol_rx_reorder.c b/core/dp/txrx/ol_rx_reorder.c
index a3dab80..9a3467c 100644
--- a/core/dp/txrx/ol_rx_reorder.c
+++ b/core/dp/txrx/ol_rx_reorder.c
@@ -607,6 +607,11 @@
struct ol_rx_reorder_array_elem_t *rx_reorder_array_elem;
htt_pdev_handle htt_pdev = pdev->htt_pdev;
+ if (tid >= OL_TXRX_NUM_EXT_TIDS) {
+ ol_txrx_err("%s: invalid tid, %u\n", __FUNCTION__, tid);
+ return;
+ }
+
peer = ol_txrx_peer_find_by_id(pdev, peer_id);
if (peer)
vdev = peer->vdev;
@@ -649,8 +654,8 @@
ol_rx_pn_ind_handler(ol_txrx_pdev_handle pdev,
uint16_t peer_id,
uint8_t tid,
- int seq_num_start,
- int seq_num_end, uint8_t pn_ie_cnt, uint8_t *pn_ie)
+ uint16_t seq_num_start,
+ uint16_t seq_num_end, uint8_t pn_ie_cnt, uint8_t *pn_ie)
{
struct ol_txrx_vdev_t *vdev = NULL;
void *rx_desc;
@@ -660,7 +665,8 @@
qdf_nbuf_t head_msdu = NULL;
qdf_nbuf_t tail_msdu = NULL;
htt_pdev_handle htt_pdev = pdev->htt_pdev;
- int seq_num, i = 0;
+ uint16_t seq_num;
+ int i = 0;
peer = ol_txrx_peer_find_by_id(pdev, peer_id);