Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c6b5b479 authored by Liangwei Dong's avatar Liangwei Dong Committed by Madan Koyyalamudi
Browse files

qcacld-3.0: Fix out of bounds access for he_ppet

Add numss_m1 and ru_bit_mask check before access the data in
ppet16_ppet8_ru3_ru0.
numss_m1 + 1 should not exceed WMI_HOST_MAX_NUM_SS.
ru count should not exceed 4.

Change-Id: Ide6b562dacb0592fb5c2101c0ce016570cb1dac3
CRs-Fixed: 3080599
parent a210b0fb
Loading
Loading
Loading
Loading
+9 −0
Original line number Diff line number Diff line
/*
 * Copyright (c) 2017-2020 The Linux Foundation. All rights reserved.
 * Copyright (c) 2021 Qualcomm Innovation Center, Inc. All rights reserved.
 *
 * Permission to use, copy, modify, and/or distribute this software for
 * any purpose with or without fee is hereby granted, provided that the
@@ -713,6 +714,14 @@ void wma_print_he_ppet(void *he_ppet)
	for (ru_count = 0; ru_bit_mask; ru_bit_mask >>= 1)
		if (ru_bit_mask & 0x1)
			ru_count++;
	if (numss > WMI_HOST_MAX_NUM_SS) {
		wma_err("invalid numss_m1 %d", ppet->numss_m1);
		return;
	}
	if (ru_count > HE_PEPT_RU_IDX_LEN) {
		wma_err("invalid ru_count 0x%08x", ppet->ru_bit_mask);
		return;
	}

	if (ru_count > 0) {
		wma_debug("PPET has following RU INDEX,");