qcacmn: Sanitize Rx buffer length received from H.W (8545efef) · Commits · e / devices / android_kernel_fairphone_FP5

dp/wifi3.0/dp_rx.c

+24 −0

Original line number	Diff line number	Diff line
		@@ -1887,6 +1887,25 @@ QDF_STATUS dp_rx_desc_nbuf_sanity_check(hal_ring_desc_t ring_desc,

		return QDF_STATUS_E_FAILURE;
		}

		/**
		* dp_rx_desc_nbuf_len_sanity_check - Add sanity check to catch Rx buffer
		* out of bound access from H.W
		*
		* @soc: DP soc
		* @pkt_len: Packet length received from H.W
		*
		* Return: NONE
		*/
		static inline void
		dp_rx_desc_nbuf_len_sanity_check(struct dp_soc *soc,
		uint32_t pkt_len)
		{
		struct rx_desc_pool *rx_desc_pool;

		rx_desc_pool = &soc->rx_desc_buf[0];
		qdf_assert_always(pkt_len < rx_desc_pool->buf_size);
		}
		#else
		static inline
		QDF_STATUS dp_rx_desc_nbuf_sanity_check(hal_ring_desc_t ring_desc,
		@@ -1894,6 +1913,9 @@ QDF_STATUS dp_rx_desc_nbuf_sanity_check(hal_ring_desc_t ring_desc,
		{
		return QDF_STATUS_SUCCESS;
		}

		static inline void
		dp_rx_desc_nbuf_len_sanity_check(struct dp_soc *soc, uint32_t pkt_len) { }
		#endif

		#ifdef WLAN_FEATURE_RX_SOFTIRQ_TIME_LIMIT
		@@ -2745,6 +2767,8 @@ uint32_t dp_rx_process(struct dp_intr *int_ctx, hal_ring_handle_t hal_ring_hdl,
		msdu_metadata.l3_hdr_pad +
		RX_PKT_TLVS_LEN;

		dp_rx_desc_nbuf_len_sanity_check(soc, pkt_len);

		qdf_nbuf_set_pktlen(nbuf, pkt_len);
		dp_rx_skip_tlvs(nbuf, msdu_metadata.l3_hdr_pad);
		}