Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6377820a authored by Wu Gao's avatar Wu Gao
Browse files

qcacmn: Check cookie and avoid to read out of bound 

Read out of bound due to invalid cookie and cause device broken. This
change checks cookie before using it as index of DBR buffer pool.

Change-Id: I1abc7d771cc62a7dd2dfe98784bf8ef2710f26ca
CRs-Fixed: 3144133
parent 557abe14

target_if/direct_buf_rx/src/target_if_direct_buf_rx_main.c

+11 −0
Original line number Diff line number Diff line 
/*

 * Copyright (c) 2017-2021 The Linux Foundation. All rights reserved.

 * Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved.

 *

 * Permission to use, copy, modify, and/or distribute this software for

 * any purpose with or without fee is hereby granted, provided that the
@@ -1023,6 +1024,11 @@ static QDF_STATUS target_if_dbr_replenish_ring(struct wlan_objmgr_pdev *pdev, 
		return QDF_STATUS_E_FAILURE;

	}



	if (cookie >= mod_param->dbr_ring_cfg->num_ptr) {

		direct_buf_rx_err("invalid cookie %d", cookie);

		return QDF_STATUS_E_INVAL;

	}



	dbr_psoc_obj = wlan_objmgr_psoc_get_comp_private_obj(psoc,

				WLAN_TARGET_IF_COMP_DIRECT_BUF_RX);
@@ -1504,6 +1510,11 @@ static void *target_if_dbr_vaddr_lookup( 


	dbr_buf_pool = mod_param->dbr_buf_pool;



	if (cookie >= mod_param->dbr_ring_cfg->num_ptr) {

		direct_buf_rx_err("invalid cookie %d", cookie);

		return NULL;

	}



	if (dbr_buf_pool[cookie].paddr == paddr) {

		return dbr_buf_pool[cookie].vaddr +

				dbr_buf_pool[cookie].offset;