Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c6b5b479 authored by Liangwei Dong's avatar Liangwei Dong Committed by Madan Koyyalamudi
Browse files

qcacld-3.0: Fix out of bounds access for he_ppet 

Add numss_m1 and ru_bit_mask check before access the data in
ppet16_ppet8_ru3_ru0.
numss_m1 + 1 should not exceed WMI_HOST_MAX_NUM_SS.
ru count should not exceed 4.

Change-Id: Ide6b562dacb0592fb5c2101c0ce016570cb1dac3
CRs-Fixed: 3080599
parent a210b0fb

core/wma/src/wma_he.c

+9 −0
Original line number Diff line number Diff line 
/*

 * Copyright (c) 2017-2020 The Linux Foundation. All rights reserved.

 * Copyright (c) 2021 Qualcomm Innovation Center, Inc. All rights reserved.

 *

 * Permission to use, copy, modify, and/or distribute this software for

 * any purpose with or without fee is hereby granted, provided that the
@@ -713,6 +714,14 @@ void wma_print_he_ppet(void *he_ppet) 
	for (ru_count = 0; ru_bit_mask; ru_bit_mask >>= 1)

		if (ru_bit_mask & 0x1)

			ru_count++;

	if (numss > WMI_HOST_MAX_NUM_SS) {

		wma_err("invalid numss_m1 %d", ppet->numss_m1);

		return;

	}

	if (ru_count > HE_PEPT_RU_IDX_LEN) {

		wma_err("invalid ru_count 0x%08x", ppet->ru_bit_mask);

		return;

	}



	if (ru_count > 0) {

		wma_debug("PPET has following RU INDEX,");