Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 03ee5d71 authored by Wu Gao's avatar Wu Gao Committed by Gerrit - the friendly Code Review server
Browse files

qcacmn: Check cookie and avoid to read out of bound 

Read out of bound due to invalid cookie and cause device broken. This
change checks cookie before using it as index of DBR buffer pool.

Change-Id: I1abc7d771cc62a7dd2dfe98784bf8ef2710f26ca
CRs-Fixed: 3144133
parent 04103469

target_if/direct_buf_rx/src/target_if_direct_buf_rx_main.c

+10 −0
Original line number Diff line number Diff line
@@ -329,6 +329,11 @@ static QDF_STATUS target_if_dbr_replenish_ring(struct wlan_objmgr_pdev *pdev, 
		return QDF_STATUS_E_FAILURE;

	}



	if (cookie >= mod_param->dbr_ring_cfg->num_ptr) {

		direct_buf_rx_err("invalid cookie %d", cookie);

		return QDF_STATUS_E_INVAL;

	}



	dbr_psoc_obj = wlan_objmgr_psoc_get_comp_private_obj(psoc,

				WLAN_TARGET_IF_COMP_DIRECT_BUF_RX);
@@ -799,6 +804,11 @@ static void *target_if_dbr_vaddr_lookup( 


	dbr_buf_pool = mod_param->dbr_buf_pool;



	if (cookie >= mod_param->dbr_ring_cfg->num_ptr) {

		direct_buf_rx_err("invalid cookie %d", cookie);

		return NULL;

	}



	if (dbr_buf_pool[cookie].paddr == paddr) {

		return dbr_buf_pool[cookie].vaddr +

				dbr_buf_pool[cookie].offset;