From 315f13738599f7e8eaec27c657a79f78b39dd4b4 Mon Sep 17 00:00:00 2001 From: Lihua Liu Date: Wed, 31 Jul 2019 17:11:44 +0800 Subject: [PATCH] qcacld-2.0: Fix buffer overflow in htt_t2h_msg_handler_fast Propagate from qcacld3.0 to qcacld2.0 Currently variable "num_mpdu_ranges" is from message, which is used directly without any validation which causes buffer over-write. To avoid buffer over-write add check for the valid num_mpdu_ranges Change-Id: I93e1e26a7b41ca5ab66d5f7efb92d5d64e6c7612 CRs-Fixed: 2500393 --- drivers/net/wireless/qcacld-2.0/CORE/CLD_TXRX/HTT/htt_t2h.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/net/wireless/qcacld-2.0/CORE/CLD_TXRX/HTT/htt_t2h.c b/drivers/net/wireless/qcacld-2.0/CORE/CLD_TXRX/HTT/htt_t2h.c index 6eefa16802fd..5e9308f33807 100644 --- a/drivers/net/wireless/qcacld-2.0/CORE/CLD_TXRX/HTT/htt_t2h.c +++ b/drivers/net/wireless/qcacld-2.0/CORE/CLD_TXRX/HTT/htt_t2h.c @@ -702,7 +702,7 @@ if (adf_os_unlikely(pdev->rx_ring.rx_reset)) { pdev->rx_ind_msdu_byte_idx = 0; if (unlikely(pdev->rx_mpdu_range_offset_words > msg_len)) { - adf_print("HTT_T2H_MSG_TYPE_RX_IND, invalid rx_mpdu_range_offset_words %d\n", + adf_os_print("HTT_T2H_MSG_TYPE_RX_IND, invalid rx_mpdu_range_offset_words %d\n", pdev->rx_mpdu_range_offset_words); WARN_ON(1); break; @@ -716,14 +716,14 @@ if (adf_os_unlikely(pdev->rx_ring.rx_reset)) { */ if (unlikely(calculated_msg_len < pdev->rx_mpdu_range_offset_words)) { - adf_print("HTT_T2H_MSG_TYPE_RX_IND, invalid mpdu_ranges %u\n", + adf_os_print("HTT_T2H_MSG_TYPE_RX_IND, invalid mpdu_ranges %u\n", (num_mpdu_ranges * (int)sizeof(uint32_t))); WARN_ON(1); break; } if (unlikely(calculated_msg_len > msg_len)) { - adf_print("HTT_T2H_MSG_TYPE_RX_IND, invalid offset_words + mpdu_ranges %u\n", + adf_os_print("HTT_T2H_MSG_TYPE_RX_IND, invalid offset_words + mpdu_ranges %u\n", calculated_msg_len); WARN_ON(1); break;