qcacld-2.0: Fix potential buffer overflow htt_t2h_msg_handler
Currently variable "tid" is from message, which is used directly as array size which causes buffer over-write. To address this issue add check for the array size in the ol_rx_delba_handler & ol_rx_pn_ind_handler. Change-Id: I39e5d9c5315a2bf9f34a65651025a1d8fc919c28 CRs-Fixed: 2178818
This commit is contained in:
parent
628d00a9e1
commit
e9c920d2e8
|
@ -549,6 +549,13 @@ ol_rx_delba_handler(
|
|||
struct ol_txrx_peer_t *peer;
|
||||
struct ol_rx_reorder_t *rx_reorder;
|
||||
|
||||
if (tid >= OL_TXRX_NUM_EXT_TIDS) {
|
||||
TXRX_PRINT(TXRX_PRINT_LEVEL_ERR,
|
||||
"%s: invalid tid, %u\n", __func__, tid);
|
||||
WARN_ON(1);
|
||||
return;
|
||||
}
|
||||
|
||||
peer = ol_txrx_peer_find_by_id(pdev, peer_id);
|
||||
if (peer == NULL) {
|
||||
return;
|
||||
|
@ -654,6 +661,13 @@ ol_rx_pn_ind_handler(
|
|||
u_int16_t seq_num;
|
||||
int i=0;
|
||||
|
||||
if (tid >= OL_TXRX_NUM_EXT_TIDS) {
|
||||
TXRX_PRINT(TXRX_PRINT_LEVEL_ERR,
|
||||
"%s: invalid tid, %u\n", __func__, tid);
|
||||
WARN_ON(1);
|
||||
return;
|
||||
}
|
||||
|
||||
peer = ol_txrx_peer_find_by_id(pdev, peer_id);
|
||||
|
||||
if (!peer) {
|
||||
|
|
Loading…
Reference in New Issue