Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 26188a68 authored by Amit Mehta's avatar Amit Mehta
Browse files

qcacmn: Add a tid check for RX to avoid of OOB access 

Tid in RX frame header may be larger than MAX TID allowed
value, this will lead a out of boundary array access and
lead to kernel crash at last. Change is aimed to do a TID
check and discard such frame when necessary.

Change-Id: I11f312668a5a42d690c058550f22b0f36f952104
CRs-Fixed: 3264581
parent 0e307776

dp/wifi3.0/dp_rx.c

+8 −1
Original line number Diff line number Diff line
@@ -2408,8 +2408,15 @@ uint32_t dp_rx_process(struct dp_intr *int_ctx, hal_ring_handle_t hal_ring_hdl, 
		}



		/* Get TID from struct cb->tid_val, save to tid */

		if (qdf_nbuf_is_rx_chfrag_start(nbuf))

		if (qdf_nbuf_is_rx_chfrag_start(nbuf)) {

			tid = qdf_nbuf_get_tid_val(nbuf);

			if (tid >= CDP_MAX_DATA_TIDS) {

				DP_STATS_INC(soc, rx.err.rx_invalid_tid_err, 1);

				qdf_nbuf_free(nbuf);

				nbuf = next;

				continue;

			}

		}



		peer_id =  QDF_NBUF_CB_RX_PEER_ID(nbuf);

dp/wifi3.0/dp_stats.c

+2 −0
Original line number Diff line number Diff line
@@ -6133,6 +6133,8 @@ dp_print_soc_rx_stats(struct dp_soc *soc) 
		       soc->stats.rx.err.reo_cmd_send_fail);



	DP_PRINT_STATS("Rx BAR frames:%d", soc->stats.rx.bar_frame);

	DP_PRINT_STATS("Rx invalid TID count:%d",

		       soc->stats.rx.err.rx_invalid_tid_err);

}



#ifdef FEATURE_TSO_STATS

dp/wifi3.0/dp_types.h

+2 −0
Original line number Diff line number Diff line
@@ -875,6 +875,8 @@ struct dp_soc_stats { 
			uint32_t peer_unauth_rx_pkt_drop;

			/* MSDU len err count */

			uint32_t msdu_len_err;

			/* Rx invalid tid count */

			uint32_t rx_invalid_tid_err;

		} err;



		/* packet count per core - per ring */