Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7f077b4b authored by chunquan's avatar chunquan Committed by Madan Koyyalamudi
Browse files

qcacld-3.0: Fix out-of-bounds in tx_stats 

The tx_stats array length num_entries can't be more than
param_buf->num_tx_stats from fw.
Otherwies out-of-bounds will happen when read wmi_tx_stats.

Change-Id: I7ab3c7cc7baef6d903ba6301622bd67efe52cebe
CRs-Fixed: 3104318
parent 63d7eb96

core/wma/src/wma_utils.c

+10 −4
Original line number Diff line number Diff line 
/*

 * Copyright (c) 2013-2021 The Linux Foundation. All rights reserved.

 * Copyright (c) 2021 Qualcomm Innovation Center, Inc. All rights reserved.

 * Copyright (c) 2021-2022 Qualcomm Innovation Center, Inc. All rights reserved.

 *

 * Permission to use, copy, modify, and/or distribute this software for

 * any purpose with or without fee is hereby granted, provided that the
@@ -1150,9 +1150,9 @@ wma_fill_tx_stats(struct sir_wifi_ll_ext_stats *ll_stats, 
	struct sir_wifi_tx *tx_stats;

	struct sir_wifi_ll_ext_peer_stats *peer_stats;

	uint32_t *tx_mpdu_aggr, *tx_succ_mcs, *tx_fail_mcs, *tx_delay;

	uint32_t len, dst_len, param_len, tx_mpdu_aggr_array_len,

		 tx_succ_mcs_array_len, tx_fail_mcs_array_len,

		 tx_delay_array_len;

	uint32_t len, dst_len, param_len, num_entries,

		 tx_mpdu_aggr_array_len, tx_succ_mcs_array_len,

		 tx_fail_mcs_array_len, tx_delay_array_len;



	result = *buf;

	dst_len = *buf_length;
@@ -1231,6 +1231,12 @@ wma_fill_tx_stats(struct sir_wifi_ll_ext_stats *ll_stats, 
		return QDF_STATUS_E_FAILURE;

	}



	num_entries = fix_param->num_peer_ac_tx_stats * WLAN_MAX_AC;

	if (num_entries > param_buf->num_tx_stats) {

		wma_err("tx stats invalid arg, %d", num_entries);

		return QDF_STATUS_E_FAILURE;

	}



	for (i = 0; i < fix_param->num_peer_ac_tx_stats; i++) {

		uint32_t peer_id = wmi_peer_tx[i].peer_id;

		struct sir_wifi_tx *ac;